Ransomware is a form of malware that encrypts a target computer until the victim pays a “ransom”. This threat is on the rise and Trend Micro is stepping up its protection and detection. OfficeScan’s new approach is to look for ransomware behavior so it does not depend exclusively on signatures or a specific removal tool. It monitors any suspicious file encryption activities at the endpoint and stops them by terminating or putting the process in quarantine.
Typical ransomware searches for system files with specific file extensions and encrypts them through normal file operation.
Trend Micro suggests enabling the appropriate settings to have best protection from ransomware
For Apex One:
- Log on to the Apex One management web console.
- Go to Agents > Agent Management.
- Click Apex One domain from Apex One server lists.
- Click Settings and select Predictive Machine Learning Settings.
- Tick to Enable Predictive Machine Learning.
-
Under Detection Settings, enable the following:
- Click Save to deploy changes.
- Log on to the Apex One management web console.
- Go to Agents > Agent Management.
- Click Settings and go Web Reputation Settings.
-
On the Internal Agents tab, tick the checkbox for Enable Web Reputation on the following operating systems. Select the following;
- Click Apply to All Agents to deploy changes
- Log on to the Apex One management web console.
- Go to Agents > Agent Management.
- Click Settings and go Behavior Monitoring Settings.
-
Tick the checkbox for Enable Malware Behavior Blocking and select Known and potential threats from the dropdown next to Threats to block.
- Protect documents against unauthorized encryption or modification & automatically back up files changed by suspicious programs
- Block processes commonly associated with ransomware
- Enable program inspection to detect and block compromised executable files
- Terminate programs that exhibit abnormal behavior associated with exploit attacks.
-
Under Newly Encountered Programs:
This notification requires that administrators enable Real-time Scan and Web Reputation. -
To enable Unauthorized Change Prevention Service on desktop and server platforms:
- Select the Apex One domain
- Click Settings and go to Additional Service Settings.
- Under Unauthorized Change Prevention service, tick to enable both Windows desktops and Windows Server platforms.
- Click Save to deploy changes.
- Log on to the Apex One management web console.
- Go to Agents > Agent Management.
- Click Apex one domain from Apex One server lists.
- Click Settings and go to Additional Service Settings > Advance Protection Services.
-
Tick to enable Windows desktop and Windows Server platforms.
- Click Save to deploy changes.
- Log on to the Apex One management web console.
- Go to Agents > Agent Management.
- Click Apex one domain from Apex One server lists.
- Click Settings and go to Additional Service Settings > Suspicious Connection Service.
-
Tick to enable Windows desktop and Windows Server platforms.
- Click Save to deploy changes.
- To go to Suspicious Connection Settings.
- Click Apex one domain from Apex One server lists.
- Click Settings and select Suspicious Connection Settings.
-
Tick the checkboxes for the following:
- Detect network connections made to address in the Global C&C List. Select "block" from the dropdown and Log and allow access to User-defined Blocked IP list addresses.
- Detect connections using malware network fingerprinting. Select block from the dropdown and Clean suspicious connections when C&C callback is detected.
Image
For OfficeScan 11.0 SP1:
- Log on to the OfficeScan web console.
- Go to Agents > Agent Management.
- Click Settings and go to Web Reputation Settings.
- On the Internal Agents tab, tick the checkbox for "Enable Web reputation policy on the following operating systems", and below it, select the following as well:
- Check HTTPS URLs
- Send queries to Smart Protection Server
- Click Apply to All Agents to deploy changes.
- To enable Web Reputation Service on server platform endpoints:
- Select the required OfficeScan agent installed on a Windows Server platform.
- Repeat steps 3 and 4.
You must configure and deploy Web Reputation policies to OfficeScan agents running on Windows Server platforms one at a time. - Click Save to deploy changes.
Part I
- Log on to the OfficeScan web console.
- Go to Agents > Agent Management.
- Click Settings and go to Behavior Monitoring Settings.
- Tick the checkbox for Enable Malware Behavior Blocking and select “Known and potential threats” from the dropdown beside Threats to block.
- Under Ransomware Protection, select the following checkboxes:
- Protect documents against unauthorized encryption or modification, and under it, Automatically back up files changed by suspicious programs
- Block processes commonly associated with ransomware
- Enable program inspection to detect and block compromised executable files (Server platforms excluded)
- To enable Unauthorized Change Prevention Service on server platform endpoints:
- Click Saveto deploy changes.
Behavior Monitoring does not support certain Windows platforms as the UI described.
Part II
- Log on to the OfficeScan web console.
- Go to Agents > Global Agent Settings > Behavior Monitoring Settings.
- Tick the checkbox for "Monitor newly encounter programs downloaded through HTTP or email applications (Server platform excluded)".
You must enable Web Reputation Services on the agent to allow OfficeScan to scan HTTP traffic.
- Select "Prompt user before executing" from the dropdown.
- Log on to the OfficeScan web console.
- To enable Browser Exploit Solution on desktop platforms:
- To enable Browser Exploit Solution on server platform endpoints:
- Go to Agents > Agent Management.
- Go to Settings > Web Reputation Settings.
- Go to the Browser Exploit Prevention section and enable "Block pages containing malicious script".
- Click Save to deploy changes.
- Log on to the OfficeScan web console.
- Go to Agents > Agent Management > Additional Service Settings.
- Tick the checkboxes for “Enable Service on the following operation systems” under Suspicious Connection Service.
- Go to Agents > Agent Management > Suspicious Connection Settings.
- Tick the checkboxes for the following:
- Log network connections made to address in the Global C&C List, and under it, Log and allow access to User-defined Blocked IP list addresses
- Log connections using malware network fingerprinting, and under it, Clean suspicious connections when C&C callback is detected
- Click Save.
- To enable Suspicious Connection policies on Windows Server platforms:
- Select the required OfficeScan agent installed on a Windows Server platform.
- Repeat steps 3 to 5.
- Click Save to deploy changes.
For OfficeScan XG:
- Log on to the OfficeScan web console.
- Go to Agents > Agent Management.
- Click Settings and go to Web Reputation Settings.
- On the Internal Agentstab, tick the checkbox for "Enable Web reputation policy on the following operating systems". Select the following:
- Check HTTPS URLs
- Send queries to Smart Protection Server
- Click Apply to All Agents to deploy changes.
- To enable Web Reputation Service on server platform endpoints:
- Select the required OfficeScan agent installed on a Windows Server platform.
- Repeat steps 3 and 4.
You must configure and deploy Web Reputation policies to OfficeScan agents running on Windows Server platforms one at a time. - Click Save to deploy changes.
-
- Log on to the OfficeScan web console.
- Go to Agents > Agent Management.
- Click Settings and go to Behavior Monitoring Settings.
- Tick the checkbox for Enable Malware Behavior Blocking and select “Known and potential threats” from the dropdown beside Threats to block.
- Under Ransomware Protection, select the following checkboxes:
- Protect documents against unauthorized encryption or modification & Automatically back up files changed by suspicious programs
- Block processes commonly associated with ransomware
- Enable program inspection to detect and block compromised executable files
- Terminate programs that exhibit abnormal behavior associated with exploit attacks
- Under Newly Encountered Programs:
- Tick the checkbox for “Monitor newly encountered programs downloaded through HTTP or email applications”.
- Select "Prompt user" from the dropdown.
You must enable Web Reputation Services on the agent to allow OfficeScan to scan HTTP traffic. - To enable Unauthorized Change Prevention Service on server platform endpoints:
- Click Save to deploy changes.
- Log on to the OfficeScan web console.
- To enable Browser Exploit Solution on desktop platforms:
- To enable Browser Exploit Solution on server platform endpoints:
- Go to Agents > Agent Management.
- Go to Settings > Web Reputation Settings.
- Go to the Browser Exploit Prevention section and enable "Block pages containing malicious script".
- Click Save to deploy changes.
- Log on to the OfficeScan web console.
- Go to Agents > Agent Management > Additional Service Settings.
- Tick the checkbox “Enable Service on the following operation systems” under Suspicious Connection Service.
- Click Apply to All Agents to deploy changes.
- Go to Agents > Agent Management > Suspicious Connection Settings.
- Tick the checkboxes for the following:
- "Detect network connections made to address in the Global C&C List". Select "block" from the dropdown and "Log and allow access to User-defined Blocked IP list addresses".
- "Detect connections using malware network fingerprinting". Select "block" from the dropdown and "Clean suspicious connections when C&C callback is detected".
- Click Apply to All Agents to deploy changes.
- To enable Suspicious Connection policies on Windows Server platforms:
- Select the required OfficeScan agent installed on a Windows Server platform.
- Repeat steps 3 to 5.
- Click Save to deploy changes.