There are two options we can use to protect endusers against Ransomware with Endpoint Application Control:
Option 1: Lockdown Policy
This policy "Locks" devices to allow only exisiting applications to run while denying anything that is not in the agent scan inventory database.
To deploy a Lockdown Policy, follow these steps:
- Logon to the Endpoint Application Control Web Management Console.
- Go to Management > Policies tab.
- Click the "+Add Policy" drop-down and select New.
- The Add Policy Screen appears. Provide the following:
Name: (Specify a name for the policy)
Users and Endpoints: (Select the target device or user that will apply the policy) - Expand the "Rules' tab and click "+Assign Rule". Then select New Lockdown rule and provide the following:
Name: (Type in the rule name)
Log-only mode: (Enabled: Do NOT take any action | Disabled: Take action) - Click Save & Assign to go back to Add Policy screen.
- Click Save to save and deploy the policy to the endpoints.
Option 2: Default Deny Policy
This type of policy combines Block and Allow Rules into a single policy that works together to deny unknown applications from executing on a specified directory while authorizing some. EAC 2.0 Patch 1 Best Practice Guide discusses about commonly used folder paths by malwares, particularly Ransomwares to perform its payload such as encrypting important and sensitive data.
To deploy Default Deny Policy, follow these steps:
- Logon to the Endpoint Application Control Web Management Console.
- Go to Management > Policies tab.
- Click the "+Add Policy" drop-down and select New.
- The Add Policy screen appears. Provide the following:
Name: (Specify a name for the policy)
Users and Endpoints: (Select the target device or user that will apply the policy) - Expand the "Rules" tab and click the "+Assign Rule". Then select the following rule-types:
- "New Block" rule:
- Provide the following:
Name: (Type in the rule name)
Log-only mode: (Enabled: Do NOT take any action | Disabled: Take action) - Expand "Blocked applications" and change the "Match Using" to "File paths". Then use the "Specify file paths to block:" to add folder locations:
Location: Any local storage
\users\*\appdata\local\*
\users\*\appdata\roaming\*
\documents and settings\*\application data\*
Location: Any removable storage
\*
Location: Network Path
\*
For the complete list of Windows Common folder variables, click here. - Click Save & Assign to go back to the Add Policy screen.
- Provide the following:
- "New Allow" rule:
- Provide the following:
Name: (Type in the rule name)
Log-only mode: (Enabled: Do NOT take any action | Disabled: Take action) - Expand "Allowed applications" and change the "Match Using" to "Known application dynamic search". Then change column to to “Tags” and select “Safe-match” and “Inventory”. It is recommended to start your allow rule by adding installed applications on the endpoint. You may get the list of currently installed applications in the Add/Remove or Programs and Features control panel window.
- Expand the "Rule options" and select "Trusted Source" level to "Medium". Important: Do not give any level of trust on web browsers (IE, Mozilla Firefox, Google Chrome, etc.) This is because it grants execute rights to applications that are executed within the browser itself, bypassing any block rules. It is recommended to create a dedicated "Allow" rule for web browsers where the level of trust is set to "none".
- Click Save & Assign to go back to Add Policy screen.
- Provide the following:
- "New Block" rule:
- Click Save to save and deploy the policy to endpoints.