Hi There,
We recently have deployed new AV (System Center Endpoint Protection) and we have started to received notification of infections detected in following location "c:\users\%username%\appdata\roaming\evvc\" for multiple users across desktop estate.
Example:
=======================================================================================
Malware Name: Ransom:HTML/Tescrypt.A
Number of infections: 1
Last detection time(UTC time): 8/3/2015 7:27:30 PM
These are the infections of this malware:
1. Computer name: computername.your.domain
Domain: YOUR.DOMAIN
Detection time(UTC time): 8/3/2015 7:27:30 PM Malware file path: file:_C:\Users\%username%\AppData\Roaming\evvc\EV_OV_514_1d0ce22_70674199_28bd0e2_1a29a8ab0345040200message.txt
=======================================================================================
Company has a history of Cryptowall outbreak in past and origin was email attachment, so I believe that there might be some historical emails archived and placed in Enterprise Vault.
I am wondering if someone would be able to explain me, how I could search which is the offending email so that I could remove it from the Mailbox items?
I believe that there should be a way to search for the GUID (ID?) which is in detection report: EV_OV_514_1d0ce22_70674199_28bd0e2_1a29a8ab0345040200message.txt
So would you so kindly help me with this one?
Many thanks.
System setup:
OS: Windows 7 x64
Office: Office 2010 32bit
Add-in: Enterprise Vault v:9.0.9377