Hi all,
pls find attached a set of policies created by SEs and BCS to help with Ransomware. It is not a protective policy but helps detecting these kind of malware.
Just for sake of good order this is not an officially supported policy and the use is on the own risk.
So pls test it extensively before to take it into production.
Feedback very welcome.
Sven
Nice work! :)
Happy to see my idea used and polished!
Hi Viktor,
thanks for the article and the different ways how ADC can be used to stop this kind of malware. We have created a policy to add a kind of MS Office hardening. The policy will protect Word, Excel, PwPoint documents from being change by any process without the exception for the assigned MS Office programs and explorer.exe. This is necessary to allow a user to rename, delete or move a file. We also added the pdf extension to the protected files extensions, because you can create a pdf document out of MS Office. All files are read-only for every other process to allow your backup solution on client or server to read the file.
We also added the msiexec to the allowed process to reflect the point that some software installes handbooks as a pdf. (Adobe Acrobar Reader).
The policy for MS Office also exclude %program files% and %program files(x86)%.
Hi Sven,
https://www-secure.symantec.com/connect/articles/how-harden-cryptolocker-file-encoding-attempts-sepm-application-control
https://www-secure.symantec.com/connect/articles/strengthening-anti-virus-security-prevent-ransom-ware-derivative-trojancryptolocker-family-
https://www-secure.symantec.com/connect/articles/detecting-cryptolocker-activity-symantec-endpoint-protection
tks for this info, can you kindly give me some more details ?
tks
Hi, Sven
I think, the ADC policy ("BLOCK RUNNING OF EXE FILES IN COMMON CRYPTOLOGER PATHES") needs fine tuning.