Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Workloads with heavy network traffic could experience increased latency with Suspicious Ransomware Activity Intrusion Prevention Rules

    • Updated:
    • 30 Mar 2021
    • Product/Version:
    • Cloud One - Workload Security All
    • Deep Security All
    • Platform:
Summary

Customers using Intrusion Prevention with Deep Security Agent may experience increased network latency with specific rules and configurations applied.

The specific Intrusion Prevention Rules involved are related to these 2 Application Types:

  • Suspicious Client Ransomware Activity
  • Suspicious Server Ransomware Activity

There are also other application types that can lead to the same behavior as well (e.g. Suspicious Client Application Activity).

These Application Types monitor a wide range of port numbers (e.g. TCP 1-138, 140-444 and 446-65535). The increase in ports being monitored by Intrusion Prevention in server environment causes the Deep Security Agent Network Security Module to scan an increased volume of network traffic, increasing the potential for latency impacts. Please confirm if Intrusion Prevention has any of the following DPI rules assigned:

  • Suspicious Client Ransomware Activity
    • Ports Inspecting: 1-138, 140-444, 446-65535
    • Related DPI rules
      • 1010596 - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
      • 1010597 - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
      • 1010792 - Identified Cobalt Strike Default Self-signed SSL/TLS Certificate
      • 1010617 - Identified TLS Cobalt Strike Beacon (Certificate)
      • 1010714 - Identified HTTP Trojan-Downloader .Win32.Cometer.bfc Traffic Request
      • 1010732 - Identified FlawedGrace Checkin Request - Client
  • Suspicious Server Ransomware Activity
    • Ports Inspecting: 1-138, 140-444, 446-65535
    • Related DPI rules
      • 1010607 - Identified TCP Meterpreter payload
      • 1010608 - Identified HTTP Cobalt Strike Malleable Traffic Request (Amazon Profile)
      • 1010609 - Identified HTTP Cobalt Strike Malleable Traffic Request (Office 365 Calendar Profile)
      • 1010610 - Identified HTTP Trojan.Win64.BazarTrickbot Traffic
      • 1010611 - Identified HTTP TrojanDownloader_Win64.BazarLoader Traffic
      • 1010614 - Identified HTTP Trickbot Data Exflltration (Card Payment)
      • 1010615 - Identified HTTP Trickbot Data Exflltration (Network Module)
      • 1010616 - Identified HTTP Backdoor Shell.Powertrick.A Runtime Detection
      • 1010634 - Identified HTTP Trickbot Data Exfiltration - (Application Credentials Grabber)
      • 1010636 - Identified HTTP Cobalt Strike Malleable Traffic Request (Pandora GET Profile)
      • 1010637 - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Google Safe Browsing Profile)
      • 1010638 - Identified FTP Backdoor Win32.Obot.JlNX Runtime Detection
      • 1010639 - Identified HTTP Cobalt strike Malleable C&C Traffic Request (Pandora POST prone)
      • 1010644 - Identified HTTP Trojan-DownloaderShell.Lightbot.A C&C Traffic Request
      • 1010731 - Identified HTTP Redhat Webshell C&C Traffic
      • 1010733 - Identified FlawedGrace Checkin Request - Server
  • Suspicious Client Application Activity
    • Ports Inspecting: 1-65535
    • Related DPI rules: 1010741 - Identified HTTP Backdoor Python FreakOut A Runtime Detection
Details
Public

The Intrusion Prevention rules using ransomware-client and ransomware-server Application Type monitor almost all ports on a target machine. This is required because ransomware doesn't really have an application type or (specific port) that it uses. There is a trade-off using these Intrusion Prevention rules, in order for them to be effective and catch ransomware activities, the rules need to have visibility over a wider range of network ports. This can cause additional latency especially on backup software or software that generates a lot of network traffic using their own custom port numbers.

A. Excluding Application Ports from Application Type

As a workaround to avoid scanning network traffic from trusted applications, you can identify the port numbers used by these applications.

In this example here, we have a backup software that uses (TCP Port 1556 and 13724). It generates a lot of backup traffic over these port numbers.

We can exclude the ports used (13724 and 1556) by the backup software and change the port list used by application types ("Suspicious Client Ransomware Activity" and "Suspicious Server Ransomware Activity").

  1. Go to Policies → Common Objects → Rules → Intrusion Prevention Rules → Click on Application Types.

  2. On the screen that appears. On the top right corner search box. Type in the keyword "Ransomware". It will show both these application types.

  3. Select the Application Type and click the Properties button. In the window that appears, click on the Edit button.

  4. Edit the "port list" create an exception by excluding the port number (1556 and 13724 from the range of port numbers, for example.
    1-138
    144-444
    446-1555
    1557-13723
    13725-65535
  5. Click Okay to save the changes.
  6. Apply similar action to other ransomware application type.

B. How to check if Intrusion Prevention rules are included in Scan for Recommendation.

Some Intrusion Prevention rules can be assigned automatically to computers using Scan for Recommendation. While some rules are excluded from recommendation scan and have to be assigned manually. You can review the list of rules using these steps:

  1. Go to Policies → Common Objects → Rules → Intrusion Prevention Rules → Click on Columns. Select the checkbox for Recommendable. This allows us to see if a rule is included or not in Scan for Recommendation.

  2. On the top right corner of the Web Console, type in this keyword "Ransomware Activity" in the search box.

  3. It will display all Intrusion Prevention rules that are using either Suspicious Client Ransomware Activity or Suspicious Server Ransomware Activity.

  4. Take note of the column "Recommendable".
    • Rules which are set to No means they don't get assigned automatically by Recommendation Scan.
    • Rules that are set to yes can be assigned automatically by Recommendation Scan.
    • Rules that are set to yes, it is possible to configure the DPI rule to be excluded from recommendation scan. Go into the rule Properties → Options Tab → Exclude from Recommendations, after this change it will show "No (Excluded from Recommendations)"

Setting this configuration will prevent the rules from being assigned automatically.

C. Check your "Maximum TCP Connection" configuration, make sure it is not using 1000.

The Suspicious Client/Server Ransomware Activity Application Type allows the Network Engine to monitor more ports than before. This translates to more traffic being analyzed by the Network Engine and this may also increase the number of connection count in the Network Engine state table. If the Max TCP Connection is using the minimum value of 1000, once the state table connection count goes above 1000, it will cause traffic to be blocked by Network Engine if the Network Engine is configured to use Inline mode.

To check whether you are affected by this configuration, you can review recent Firewall Events. Packets dropped due to the Maximum TCP Connection setting are logged under the Column field "Reason" as "Max TCP Connection".

Make sure your Max TCP Connection is configured to use 1,000,000. You can check this configuration under Computer Properties Page or Policies → Settings → Advanced Tab → Network Engine Settings → Advanced Network Engine Options → Maximum TCP Connections

​​
 
If you upgraded Deep Security Manager from an older version, the default value may still be using 1,000. On new manager installation, the default value is now configured to use 1,000,000.
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000285860
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.