For new emerging Ransomware, Trend Micro DDI is capable of detecting known Ransomware with the default settings and employing the sandbox behavior analysis techniques to defend against new variants.
The following configurations on DDI will help increase the Ransomware detection rate:
DDI supports the new widget of "Threats at a Glance" to show Ransomware detections with direct links to its detailed information.
Click image to enlarge
Click image to enlargeYou need to install DDI 3.8 SP2 hotfix 1203 or higher to display Ransomware detections in the new widget of "Threats at a Glance" and on Ransomware detection samples.
Access the DDI Admin WebUI, https://<DDI_IP>, then configure the following file submission rules under Administration > Virtual Analyzer > File Submission Rules, to submit files to the Sandbox:
Criteria Action Known malware Do not submit files No detection type AND CHM / Jar / Java Applet / LNK / WIN_EXE Submit files No detection type AND HTTP AND *.vbs / *.vbe / *.ps1 / *.hta / *.wsf Submit files No detection type AND SMTP AND *.vbs / *.vbe / *.ps1 / *.hta / *.wsf / *.js / *.jse Submit files No detection type AND SMTP AND SWF Submit files Rule : 28 / 29 / 40 / 52 Do not submit files Heuristic detections / Highly Suspicious files Submit files
Click image to enlargeBefore sending more files to the sandbox, you might need to add more storage capacity.
Check the Sandboxes and ensure the following:
- Make sure the Sandboxes have internet connection.
- Make sure the Sandboxes have Java installed and Office with macro enabled.
- Use Control Manager (TMCM) with Connected Threat Defense in order to share Suspicious Objects with other Trend Micro products.