Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Enabling the Ransomware Protection feature in OfficeScan (OSCE)

    • Updated:
    • 15 Nov 2016
    • Product/Version:
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • Windows 2003 Datacenter 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Server R2
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 Datacenter
    • Windows 2008 Datacenter 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server Core
    • Windows 2008 Server R2 Enterprise
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2008 Web Server Edition
    • Windows 2008 Web Server Edition 64-bit
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Enterprise R2
    • Windows 2012 Server Essential R2
    • Windows 2012 Server Essentials
    • Windows 2012 Standard
    • Windows 2012 Standard R2
    • Windows 2012 Web Server Edition
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Home
    • Windows XP Professional
    • Windows XP Professional 64-bit
Summary

Ransomware is a form of malware that encrypts a target computer until the victim pays a “ransom”. This threat is on the rise and Trend Micro is stepping up its protection and detection. OfficeScan’s new approach is to look for ransomware behavior so it does not depend exclusively on signatures or a specific removal tool. It monitors any suspicious file encryption activities at the endpoint and stops them by terminating or putting the process in quarantine.

Typical ransomware searches for system files with specific file extensions and encrypts them through normal file operation.

Encrypted attack

Details
Public

Trend Micro suggests enabling the appropriate settings to have best protection from ransomware

For OfficeScan 11.0 SP1:

  1. Log on to the OfficeScan web console.
  2. Go to Agents > Agent Management.
  3. Click Settings and go to Web Reputation Settings.
  4. On the Internal Agents tab, tick the checkbox for "Enable Web reputation policy on the following operating systems", and below it, select the following as well:
    • Check HTTPS URLs
    • Send queries to Smart Protection Server

    Web Reputation Service

  5. Click Apply to All Agents to deploy changes.
  6. To enable Web Reputation Service on server platform endpoints:
    1. Select the required OfficeScan agent installed on a Windows Server platform.
    2. Repeat steps 3 and 4.
     
    You must configure and deploy Web Reputation policies to OfficeScan agents running on Windows Server platforms one at a time.

    Web Reputation Service

  7. Click Save to deploy changes.

Part I

  1. Log on to the OfficeScan web console.
  2. Go to Agents > Agent Management.
  3. Click Settings and go to Behavior Monitoring Settings.
  4. Tick the checkbox for Enable Malware Behavior Blocking and select “Known and potential threats” from the dropdown beside Threats to block.
  5. Under Ransomware Protection, select the following checkboxes:
    • Protect documents against unauthorized encryption or modification, and under it, Automatically back up files changed by suspicious programs
    • Block processes commonly associated with ransomware
    • Enable program inspection to detect and block compromised executable files (Server platforms excluded)
  6. To enable Unauthorized Change Prevention Service on server platform endpoints:
    1. Select the required OfficeScan agent installed on a Windows Server platform.
    2. Click Settings and go to Additional Service Settings.
    3. Tick "Enable service on the following operating systems".

      Behavior Monitoring

    4. Repeat steps 3 to 5.

      Behavior Monitoring

  7. Click Saveto deploy changes.
     
    Behavior Monitoring does not support certain Windows platforms as the UI described.

Part II

  1. Log on to the OfficeScan web console.
  2. Go to Agents > Global Agent Settings > Behavior Monitoring Settings.
  3. Tick the checkbox for "Monitor newly encounter programs downloaded through HTTP or email applications (Server platform excluded)".
     
    You must enable Web Reputation Services on the agent to allow OfficeScan to scan HTTP traffic.
  4. Select "Prompt user before executing" from the dropdown.

    Meerkat

  1. Log on to the OfficeScan web console.
  2. To enable Browser Exploit Solution on desktop platforms:
    1. Go to Agents > Agent Management.
    2. Click Settings.
    3. Go to Additional Services Settings > Advanced Protection Services.
    4. Tick the checkbox for "Enable service on the following operating systems".

      Browser Exploit Solution

    5. Click Apply to All Agents to deploy changes.
  3. To enable Browser Exploit Solution on server platform endpoints:
    1. Go to Agent > Agent Management.
    2. Select the required OfficeScan agent installed on a Windows Server platform.
    3. Click Settings.
    4. Go to Additional Service Settings > Advanced Protection Services.
    5. Tick the checkbox for "Enable service on the following operating systems".

      Browser Exploit Solution

    6. Click Save to deploy changes.
  4. Go to Agents > Agent Management.
  5. Go to Settings > Web Reputation Settings.
  6. Go to the Browser Exploit Prevention section and enable "Block pages containing malicious script".

    Browser Exploit Solution

  7. Click Save to deploy changes.
  1. Log on to the OfficeScan web console.
  2. Go to Agents > Agent Management > Additional Service Settings.
  3. Tick the checkboxes for “Enable Service on the following operation systems” under Suspicious Connection Service.

    Suspicious Connection Settings

  4. Go to Agents > Agent Management > Suspicious Connection Settings.
  5. Tick the checkboxes for the following:
    • Log network connections made to address in the Global C&C List, and under it, Log and allow access to User-defined Blocked IP list addresses
    • Log connections using malware network fingerprinting, and under it, Clean suspicious connections when C&C callback is detected

    Suspicious Connection Settings

  6. Click Save.
  7. To enable Suspicious Connection policies on Windows Server platforms:
    1. Select the required OfficeScan agent installed on a Windows Server platform.
    2. Repeat steps 3 to 5.

    Suspicious Connection Settings

  8. Click Save to deploy changes.
 
Some options were only available in OSCE 11.0 SP1 Critical Patch 6054 and later.

For OfficeScan XG:

  1. Log on to the OfficeScan web console.
  2. Go to Agents > Agent Management.
  3. Click Settings and go to Web Reputation Settings.
  4. On the Internal Agentstab, tick the checkbox for "Enable Web reputation policy on the following operating systems". Select the following:
    • Check HTTPS URLs
    • Send queries to Smart Protection Server

    Internal Agents

  5. Click Apply to All Agents to deploy changes.
  6. To enable Web Reputation Service on server platform endpoints:
    1. Select the required OfficeScan agent installed on a Windows Server platform.
    2. Repeat steps 3 and 4.
     
    You must configure and deploy Web Reputation policies to OfficeScan agents running on Windows Server platforms one at a time.

    WRS

  7. Click Save to deploy changes.
    1. Log on to the OfficeScan web console.
    2. Go to Agents > Agent Management.
    3. Click Settings and go to Behavior Monitoring Settings.
    4. Tick the checkbox for Enable Malware Behavior Blocking and select “Known and potential threats” from the dropdown beside Threats to block.
    5. Under Ransomware Protection, select the following checkboxes:
      • Protect documents against unauthorized encryption or modification & Automatically back up files changed by suspicious programs
      • Block processes commonly associated with ransomware
      • Enable program inspection to detect and block compromised executable files
      • Terminate programs that exhibit abnormal behavior associated with exploit attacks
    6. Under Newly Encountered Programs:
      1. Tick the checkbox for “Monitor newly encountered programs downloaded through HTTP or email applications”.
      2. Select "Prompt user" from the dropdown.
       
      You must enable Web Reputation Services on the agent to allow OfficeScan to scan HTTP traffic.
    7. To enable Unauthorized Change Prevention Service on server platform endpoints:
      1. Select the required OfficeScan agent installed on a Windows Server platform.
      2. Click Settings and go to Additional Service Settings.
      3. Tick "Enable service on the following operating systems".

        Unauthorized Change Prevention Service

      4. Repeat steps 3 to 6.

        Behavior Monitoring

    8. Click Save to deploy changes.
 
Behavior Monitoring does not support certain Windows platforms as the UI described.
  1. Log on to the OfficeScan web console.
  2. To enable Browser Exploit Solution on desktop platforms:
    1. Go to Agents > Agent Management.
    2. Click Settings.
    3. Go to Additional Services Settings > Advanced Protection Services.
    4. Tick the checkbox for "Enable service on the following operating systems".

      Advanced Protection Services

    5. Click Apply to All Agents to deploy changes.
  3. To enable Browser Exploit Solution on server platform endpoints:
    1. Go to Agent > Agent Management.
    2. Select the required OfficeScan agent installed on a Windows Server platform.
    3. Click Settings.
    4. Go to Additional Service Settings > Advanced Protection Services.
    5. Tick the checkbox for "Enable service on the following operating systems".

      enable Browser Exploit Solution

    6. Click Save to deploy changes.
  4. Go to Agents > Agent Management.
  5. Go to Settings > Web Reputation Settings.
  6. Go to the Browser Exploit Prevention section and enable "Block pages containing malicious script".

    Block pages containing malicious script

  7. Click Save to deploy changes.
  1. Log on to the OfficeScan web console.
  2. Go to Agents > Agent Management > Additional Service Settings.
  3. Tick the checkbox “Enable Service on the following operation systems” under Suspicious Connection Service.

    Suspicious Connection Service

  4. Click Apply to All Agents to deploy changes.
  5. Go to Agents > Agent Management > Suspicious Connection Settings.
  6. Tick the checkboxes for the following:
    1. "Detect network connections made to address in the Global C&C List". Select "block" from the dropdown and "Log and allow access to User-defined Blocked IP list addresses".
    2. "Detect connections using malware network fingerprinting". Select "block" from the dropdown and "Clean suspicious connections when C&C callback is detected".

    Suspicious Connection Settings

  7. Click Apply to All Agents to deploy changes.
  8. To enable Suspicious Connection policies on Windows Server platforms:
    1. Select the required OfficeScan agent installed on a Windows Server platform.
    2. Repeat steps 3 to 5.

    Suspicious Connection policies

  9. Click Save to deploy changes.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Upgrade
Solution Id:
1111377
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.