Endpoint Protection

Strengthening anti-virus security to prevent Ransom-ware derivative (Trojan.Cryptolocker family, etc.) infections 

03-10-2016 05:26 PM

Because of increasing number of CryptoLocker-like infections, attacks and fast malware mutations the need to enforce the user application policy in our SEP managed systems became urgent.

Presently, the only secure way against these new, unknown viruses is, to disallow any application to run from User Profile directories, like Local and LocalLow with the help of the Application and Device Control feature. We should keep in mind while constructing our rules, that new generations of these Ransom-ware applications install themselves into many directories apart from Local(Low)/Temp. This is a very strict policy, exceptions are required to ensure user experience.

 

These settings can be achieved in SEP Manager → Policies as follows:

1.jpg

2.jpg

3.jpg

In the blocklist and exception list we can use “regular expressions” to describe rules. With regular expressions we can use wildcards in any part of the paths we supply, simplifying the selection of allowed/blocked directories.

More about this at:

https://support.symantec.com/en_US/article.HOWTO82512.html

 

The way to add a new block/allow rule:

4.jpg

After adding our settings we can specify actions to take on the “Actions” tab. We set up blocking, logging and notifications in mail:

5.jpg

It’s important to run our settings in Testing mode first, and only enable Production mode after tuning our exception lists to prevent undesired behavior.

6.jpg

The rules:

 

Application and Device Control Policy 

Block:

C:\\Users\\[^\]*\\appdata\\[^\]*\\[^\]*\.exe

C:\\Users\\[^\]*\\appdata\\Local\\[^\]*\.exe

C:\\Users\\[^\]*\\appdata\\LocalLow\\[^\]*\.exe

C:\\Users\\[^\]*\\appdata\\Local\\Temp\\[^\]*\.exe

C:\\Users\\[^\]*\\appdata\\LocalLow\\Temp\\[^\]*\.exe

C:\\Users\\[^\]*\\appdata\\Local\\Temp\\[^\]*\\[^\]*\.exe

C:\\Users\\[^\]*\\appdata\\LocalLow\\Temp\\[^\]*\\[^\]*\.exe

 

Exceptions (example):

C:\\Users\\Administrator\\appdata\\Local\\[^\]*\.exe

C:\\Users\\Administrator\\appdata\\LocalLow\\[^\]*\.exe

C:\\Users\\Administrator\\appdata\\Local\\Temp\\[^\]*\.exe

C:\\Users\\Administrator\\appdata\\LocalLow\\Temp\\[^\]*\.exe

C:\\Users\\Administrator\\appdata\\Local\\Temp\\[^\]*\\[^\]*\.exe

C:\\Users\\Administrator\\appdata\\LocalLow\\Temp\\[^\]*\\[^\]*\.exe

 

More exceptions (example):

C:\\Users\\[^\]*\\appdata\\Local\\Mozilla Firefox\\firefox\.exe 

C:\\Users\\[^\]*\\appdata\\Local\\IE Tab\\[^\]*\\ietabhelper\.exe

C:\\Users\\[^\]*\\appdata\\Local\\Temp\\Foxit Reader Updater\.exe

C:\\Users\\[^\]*\\appdata\\Local\\Google\\Google Talk Plugin\\googletalkplugin\.exe

C:\\Users\\[^\]*\\appdata\\Local\\Google\\Update\\GoogleUpdate\.exe

 

Create a "Notification condition" under Monitors/Notifications:

4.JPG

 

 

 

 

Statistics
0 Favorited
16 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

10-21-2016 01:21 AM

veryusefull Thanks

09-16-2016 07:05 AM

Thanks to Viktor who sent me a PM with the link for the following article "Specifications for using Regular Expressions within an Application and Device Control policy." https://support.symantec.com/en_US/article.TECH131541.html

09-16-2016 06:05 AM

Hi Jorge,

https://support.symantec.com/en_US/article.TECH131541.html

"There are a few base behavior differences from standard regular expression usage to match the functionality of the Windows filesystem and Windows registry:

...

  • A character is considered to be in a set if either its lower case format or its upper case format is in the set, i.e. all character comparison is done case insensitively."

 

Viktor

09-14-2016 11:10 AM

Just a quick question, as I haven't tested this yet, from my point of view the regex's:

C:\\Users\\[^\]*\\appdata\\[^\]*\\[^\]*\.exe is incorrect, it should be

C:\\[Uu]sers\\[^\\]*\\[Aa]pp[dD]ata\\[^\\]*\\[^\\]*[^\\]*\\.*\.exe

is there something particular to the symantec regex engine?

 

Cheers,

 

Jorge

 

 

08-03-2016 06:09 AM

Many thanks, Viktor!  ADC is a good extra line of defense against the thousands of new unique ransomware samples that appear in the wild each week.  (The authors and distributors of this threat family are very aggressive and constantly release new variants.)

Some additional resources that will help reduce the risk of successful ransomware infection:

Support Perspective: W97M.Downloader Battle Plan
https://www-secure.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan

Special Report: Ransomware and Businesses 2016
https://www.symantec.com/connect/blogs/report-organizations-must-respond-increasing-threat-ransomware

Ransomware protection and removal with Symantec Endpoint Protection
http://www.symantec.com/docs/HOWTO124710

Protection of JS scripts running via wscript.exe
https://www.symantec.com/connect/forums/protection-js-scripts-running-wscriptexe

With thanks and best regards,

Mick

 

05-12-2016 09:40 AM

Yesterday and today:

blocked by this policy (and uploadad to Symantec) new ransomware variants: 3 :)

04-21-2016 10:01 AM

https://support.symantec.com/en_US/article.TECH234601.html

How to block Macro and Javascript downloaders using Symantec Mail Security for Microsoft Exchange (SMSMSE)

04-14-2016 09:22 AM

New ransomware variants:

new block rules:

C:\\Users\\[^\]*\\appdata\\cryptohost\exe
C:\\Users\\[^\]*\\appdata\\Frfx\firefox\.exe
C:\\Users\\[^\]*\\appdata\\Drpbx\drpbx\.exe
C:\\Users\\[^\]*\\appdata\\AdobeFlashPlayer_[^\]*\.exe

Related Entries and Links

No Related Resource entered.