Endpoint Protection

 View Only

How-To Harden Cryptolocker file encoding attempts with SEPM Application Control 

Apr 15, 2016 02:01 PM

 

SEPM AppDevCtrl acts as a versatile swiss army-knife, and can be used as a precision tool as well as a general solution. Take care when using it, as it's easy to break your system with a misconfigured rule.

The policies described here place strong rules in effect, it is recommended, that only „Testing mode” is active first – and also on a test system.

After testing, mass distribution of this ruleset can be orchestrated with SEPM Group Management.

Here follows, how to defend critical files (Word and Excel documents, etc.) of an enterprise, from unauthorized access, like a CryptoLocker or Ransomware encryption. Make an Application Control rule with the following in mind:

  • Monitor every process, except Word, Excel, Windows processes, SEP processes, and legit enterprise applications, like a filing app

  • Monitor the non-whitelisted processes's file accesses. If the file is a *.doc, *.docx, *.xls or *.xlsx block the access, else allow it.

encoding_deny_1.jpg

encoding_deny_2.jpg

encoding_deny_3.jpg

encoding_deny_4.jpg

encoding_deny_5.jpgencoding_deny_6.jpg

From testing logs, we can tune our whitelist. After there are no denies in the log on valid applications, distribute the rule to the production system. It is also recommended to run only in test mode for a few days on the live system – there might be legit processes trying to access these files, that did not occur in the test environment.

Naturally the surveilled files/extensions can be broadened, but keep in mind to broaden the whitelisted applications also – and re-test the rule after changes.

 

You can find the settings for sending mail to administrators at the following link:

https://www-secure.symantec.com/connect/articles/detecting-cryptolocker-activity-symantec-endpoint-protection

at section 2: "Create a "Notification condition" under Monitors/Notifications:"

 

Statistics
0 Favorited
3 Views
1 Files
0 Shares
1 Downloads
Attachment(s)
zip file
Application and Device Control policy - Deny Ransomware e....zip   7 KB   1 version
Uploaded - Feb 25, 2020

Tags and Keywords

Comments

Nov 24, 2016 08:54 AM

Hi,

Did you change this policy from test to production?

https://www.symantec.com/connect/sites/default/files/users/user-3632631/encoding_deny_3.jpg

Sep 26, 2016 02:29 AM

can someone  guide how to create any policy for sepm manager ? like stpes

can we test policy perticular one system 

?

 

 

Sep 21, 2016 08:09 AM

We have an application and device control policy in place to block *.Zepto, *.Crypto, *.Cerber.

We have tested the policy manually by trying to create a file with the mentioned extensions. Symantec AV client is killing the process as its recognizing the file extensions that should not be allowed to execute.

However, this is not working in real scenario. We had Ransomware infections eventhough this policy is active on the machines. Ransomware is abl to change the file extensions to *.Zepto, *.Crypto, *.Cerber.

I suspect the application policy is not effectively working when the actual attack happens. It is somehow bypassing Symantec AV application policy and changing the file extensions after encrypting.

Any suggestions pls...

Sep 16, 2016 06:11 AM

Hi,

I think, yes.

+info:

https://www.symantec.com/connect/articles/detecting-cryptolocker-activity-symantec-endpoint-protection

add *.zepto to list

Sep 16, 2016 04:12 AM

 

HI Viktor, 

 

u able to restrict Zepto ransomware attacks using this?

Jul 18, 2016 04:59 PM

Hi,

Yes, we use it since April 2016, in the production enviroment. It is very useful. Since there no ransomware infections.

Jun 19, 2016 04:49 AM

Anyone using this policy in the production enviroment? How useful is it ? Appreciate your feedback. Thanks 

Related Entries and Links

No Related Resource entered.