Sage 100

General question regarding viruses and how they affect Sage files. Has anyone heard of the virus called ""Crypto Locker""? A client got hit with that over the weekend and it's possible that their entire MAS90 directory got encrypted, and we don't have a good full restore. IT is trying to push for them to go from Standard to Premium to reduce the risk of files getting infected. If the only files we have shared are the program files and the data resides in SQL tables instead, all we would have to restore are the program files in the event of an emergency, correct?

http://en.wikipedia.org/wiki/CryptoLocker

I would shy away from becoming the IT department for the customer. I've been in these situations and where there is a data loss many times it's an IT issue and they're looking for someone to offload responsibility to. Mark Chinsky offers a great solution which makes these type of problems disappear @MarkChinsky . Also whatever answer you provide is likely to be interpreted overly broadly and you're providing Sage consulting not disaster recovery advice. Yet as soon as you give them even a casual opinion you become their disaster recovery consultant (totally unpaid). .02

I had a client get infected with this recently and we determe they had no anti virus on the workstations. So, that is the first order of business. We only experienced .doc and .txt file encryption so confirmthe before panicing. I'd try moving one company to your server and if the data is ok reinstall Sage 100

I suspect that @MarkChinsky will chime in here. It's not clear that MSSQL files are excluded (I love to know!). But even they are, it's not a sure bet that they won't be targeted in the future. A solid backup regimen is a better approach, one that will let you easily restore from a point a day or more in the past, recognizing that you don't want to restore backed up files that are also infected.

And @WayneSchulz is completely correct. This is not your problem, and you will lose if you let them make it yours.

Side Note: Not all the data resides as SQL tables. This is particularly true with the pvx system files under \mas90\MAS_SYSTEM folder on the App Server.

That's true...I forgot about the LM files. I told them we had to keep an eye on custom forms and reports, but forgot about users/roles/etc.

I wrote on blog on this baby here: http://www.clientsfirst-us.com/blog/partners-perspective/urgent-cryptolocker-security-threat-possibly-worst-malware-ever/ SQL should be safe. Cryptolocker runs on the workstation and encrypts document type files that it can get to. This includes local, and anything that HAS A MAPPED DRIVE. UNC's are safe...for now... If for some stupid reason, the client has a mapped drive that can get direct access to the MDF sql files and they don't happen to be in use, then yes you are screwed. It can't do anything to files that are in use either. It's critical that you have a backup or Disaster Recovery Solution that backs up 'point in time'. IE, cryptolocker hit at 11am, you restore all the files from 10am (assuming you have a system like www.eversafe-backup.com that can take very frequent backups) Some cheapo systems like Carbonite back the files up as they are changed so they are very nice about sending all your newly encrypted files to the cloud overwriting your good versions. Many of these online cloud backup services are NOT designed to let you restore every file from a point in time as they are backing them up as they change without a 'trigger point' Cryptolocker, and its derivitives are detected about 75% of the time with current AV software, but its a moving target. There is just too much money to be made in this type of virus for it to not continue to be a problem for a LONG time. Here are the file extensions currently affected. 3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

Thank you so much Mark, and everyone, for their input. This is enough to go back to the client regarding a change to Premium, I think.

When clients get caught by the Crypto (Bit) Locker malware, it is not a good idea for them to pay the ""ransom"" as there is no guarantee that they will get their data back and they will probably be repeat victims in the future. The only thing they can do is either clean their system with malware removers, or formatting the drive and reinstalling the operating system (better), and then restoring data from backup. The backups should be at least three days old as the malware installs itself over a two day period so that it encrypts the data completely and then suddenly appears.

Great suggestions, Jon. Thanks!

I'm dealing with a client that got hit with this last Friday. The virus did attack some of the Sage 100 program files - we're getting numerous error 15 / sy_gridhandler errors. They have since found their backup system has not been working since October (see my eyes rolling). Right now their IT consultant is leading toward recommending they pay the ransom. I appreciate the feedback here.

Few things... 1)If it just attacked the program files, why not just reinstall?? 2) Paying the ransom only works about half the time because the decrypt server are often down or are being blocked by ISP's. Even though they've taken your payment already 3) Do NOT remove the virus unless they are sure they aren't going to pay. When the virus hits, it generate a random 448bit blowfish encryption key. If you remove the infection, even if you purposely re-infect, the key will be different and all hope of decrypting will be gone. Not being a wiener, but once this is all settled, lets talk about our www.eversafe.com system. Its nightly boot up of the virtual clone of the live server, guarantees them that they have a GOOD backup everyday. This piece of mind is priceless.

First I need to clarify - we don't do IT (network/hardware in my mind) consulting - I'm just handling their Sage product. I'm dealing with an outside IT consultant. We talked early this morning about reinstalling and manually bringing in the company data because I don't want to do a migration. At that point I didn't know if any of the data files were corrupted or not. I knew the errors seemed to be pointing to issues with system files, but couldn't say for sure whether or not data files were affected. There are a lot of them out there with the same date and time as the infected system files which to me seemed to indicate they were corrupted, but I said the only way we would know for sure is to try it. It wasn't until this afternoon that I saw your post on which files are affected. I think the IT consultant is interested in paying the ransom because he's trying to minimize his losses. I'm sure he's thinking he's going to eat all of this because the fact that they don't have a backup since October falls entirely on his company. I passed along both your comments and Jon Parkinson's comments as soon as I saw them and left a message for him as well. I'm waiting for him to call back to find out what he has already done. I would never think you're a wiener. I'm happy to talk with you about the eversafe.com system. However, we try to stay out of the backup game and prefer to leave that to the IT consultants.