Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Enabling the Ransomware Protection feature in InterScan Messaging Security Suite (IMSS) or InterScan Messaging Security Virtual Appliance (IMSVA)

    • Updated:
    • 11 Aug 2016
    • Product/Version:
    • InterScan Messaging Security Suite 7.5 Windows
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • Platform:
    • CentOS 6 64-bit
    • Linux すべて
    • Windows All
Summary

Ransomware may spread via email, either attaching itself directly or pasting malicious URL on the email body. 

For known ransomware which are defined in Virus Scan Engine (VSAPI) pattern file, IMSVA can detect it as normal virus. For known ransomware URL which are listed in WRS, IMSVA can use Web Reputation Services (WRS) to detect it out as a WRS-type of ransomware. IMSVA also can use Anti-Spam Engine's (TMASE) TLSH feature to detect ransomware which defined in TMASE pattern file.

For unknown ransomware, it may exist in executable files, or in Microsoft document files containing macros. IMSx can take action on those files, such as strip macro, block *.exe file, or submit the macro file / executable file to Deep Discovery Analyzer (DDAn) for future analysis.

Details
Public

For unknown ransomware or malicious URL, an administrator may consider the following actions to enhance security:

Improve Ransomware Detections Visibility

From build 1579, IMSVA 9.0 contains an enhancement for ransomware detections visibility. If your IMSVA 9.0 build is lower than 1579, you can install Hot Fix Build 1579 or above package to get the feature. Follow these steps to apply Hot Fix Build 1579 and learn how to use the new visibility features.

  1. Download Hot Fix Build 1579. Please refer to the Readme for details of this hot fix.
  2. Apply this hot fix via the IMSVA web console under Administration > Updates > System & Applications.
  3. After applying the hot fix, clear your browser cache to avoid display issues on the newly added ransomware widget.
  4. Add the “Ransomware Detections” widget to dashboard (It is suggested to add it to the “Message Traffic” tab.):
    1. On the web console go to Dashboard > Message Traffic tab, and click Add Widgets on the right side of the screen.

      add widgets

    2. Type keywords to search for "Ransomware Detections". Select it, and click Add.
    3. The “Ransomware Detections” widget will appear on the “Message Traffic” tab.

      detections

  5. On the web console go to Logs > Query. “Ransomware” category is added to “Policy events” type. It also contains four sub categories: Virus Scan, Spam Detection, Web Reputation and Virtual Analyzer.

    category

Enable WRS

Refer to KB 1113896 for detailed information on enabling the WRS feature in IMSx.

Handling Macro Files

Macro virus is one of the most common types of file infections in Microsoft Office documents. Administrators may refer to KB 1113805 for macro file handling in IMSVA. For macro files, the most aggressive way is strip the macro directly from document (Option 1 for KB 1113805). If DDAn is integrated, it is suggested to take both option 2 and option 3 for handling macro files.

Handling Executable Files

Administrators can either block executable files directly (refer to KB 1099617) or submit executable files to DDAn for further analysis (refer to KB 1114122).

IMSVA 9.1 has already contains the feature, ransomware detections visibility.

Enable WRS

Refer to KB 1113896 for detailed information on enabling the WRS feature in IMSx.

Handling Macro Files

Macro virus is one of the most common types of file infections in Microsoft Office documents. Administrators may refer to KB 1113805 for macro file handling in IMSVA. For macro files, the most aggressive way is strip the macro directly from document (Option 1 for KB 1113805). If DDAn is integrated, it is suggested to take both option 2 and option 3 for handling macro files.

Handling Executable Files

Administrators can either block executable files directly (refer to KB 1099617) or submit executable files to DDAn for further analysis (refer to KB 1114122).

Improve Ransomware Detections Visibility

From build 1770, IMSS 7.1 Linux contains enhancements for ransomware detections visibility. If your IMSS 7.1 Linux build is lower than 1770, you can install Hot Fix Build 1770 or above package to get the feature. Follow these steps to apply Hot Fix Build 1770 and learn how to use the new visibility features. Please refer to the readme for details of this hot fix.

  1. Download Hot Fix Build 1770. You may refer to the readme file for detailed info.
  2. Apply this hot fix to IMSS 7.1.
  3. After applying, go to the IMSS 7.1 management console under Summary > Statistics. IMSS will show “Ransomware Detections” in this tab.

    statistics

  4. On the management console go to Logs > Query > Policy events. “Ransomware” category is added to “Policy events” type. It also contains three sub categories: Virus Scan, Spam Detection and Web Reputation:

    category

Enable WRS

Refer to KB 1113896 for detailed information on enabling the WRS feature in IMSx.

Handling Macro Files

Macro virus is one of the most common types of file infections in Microsoft Office documents. Administrators can refer to KB 1113805 for macro file handling in IMSS. For macro files, the most aggressive way is strip the macro directly from document (Option 1 for KB 1113805).

Handling Executable Files

Administrators may refer to KB 1099617 to block executable files directly.

Improve Ransomware Detections Visibility

From build 1353, IMSS 7.5 Windows contains enhancements for ransomware detections visibility. If your IMSS 7.5 Windows build is lower than 1353, you can install Hot Fix Build 1353 or above package to get the feature. Follow these steps to apply Hot Fix Build 1353 and learn how to use the new visibility features.

  1. Download Hot Fix Build 1353. You may refer to the Readme file for detailed information about this hot fix.
  2. Apply this hot fix to IMSS 7.5.
  3. After applying, go to the IMSS 7.5 management console under Summary > Statistics. IMSS will show “Ransomware Detections” in this tab.
  4. On the management console go to Logs > Query > Policy events. “Ransomware” category is now added to "Policy events” type. It also contains three sub categories: Virus Scan, Spam Detection, Web Reputation and Virtual Analyzer.

Enable WRS

Refer to KB 1113896 for detailed information on enabling the WRS feature in IMSx.

Handling Macro Files

Macro virus is one of the most common types of file infections in Microsoft Office documents. Administrators may refer to KB 1113805 for macro file handling in IMSS. For macro files, the most aggressive way is strip the macro directly from document (Option 1 for KB 1113805).

Handling Executable Files

Administrators may refer to KB 1099617 to block executable files directly.

Enable WRS

Refer to KB 1113896 for detailed information on enabling the WRS feature in IMSx.

Handling Macro Files

Macro virus is one of the most common types of file infections in Microsoft Office documents. Administrators can refer to KB 1113805 for macro file handling in IMSS. For macro files, the most aggressive way is strip the macro directly from document (Option 1 for KB 1113805).

Handling Executable Files

Administrators may refer to KB 1099617 to block executable files directly.

Premium
Internal
Rating:
Category:
Configure; Remove a Malware / Virus
Solution Id:
1113871
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.