Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Best Practice Configuration against Ransomware and other Malware Threats with Endpoint Application Control (EAC) 2.0 Patch 1

    • Updated:
    • 6 Dec 2016
    • Product/Version:
    • Endpoint Application Control 2.0
    • Platform:
    • Windows All
Summary

Below is an illustration of a ransomware attack flow:

attack flow

(source)

When anti-virus, spam filtering and web filtering all fail, one becomes a victim of a ransmoware because the malicious application that performs the encryption routine on sensitive and important data can run without user knowledge. This happens when all the AV solutions are out-of-date with the current virus patterns. However, it is highly possible that not all new malware variants of a ransomware are added to the virus pattern everytime a new version is released.

EAC 2.0 Patch 1 monitors and stops any application that are not authorized to run on the endpoint. It uses Certified Safe Software pattern - also known as whitelist pattern, and a list of applications from each managed devices collected during agent inventry scan to determine which applications to block and which to allow.

Details
Public

There are two options we can use to protect endusers against Ransomware with EAC 2.0 Patch 1:

Option 1: Lockdown Policy

This policy "Locks" devices to allow only exisiting applications to run while denying anything that is not in the agent scan inventory database.

To deploy a Lockdown Policy, follow these steps:

  1. Logon to the Endpoint Application Control Web Management Console.
  2. Go to Management > Policies tab.
  3. Click the "+Add Policy" drop-down and select New.
  4. The Add Policy Screen appears. Provide the following:
    Name: (Specify a name for the policy)
    Users and Endpoints: (Select the target device or user that will apply the policy)
  5. Expand the "Rules' tab and click "+Assign Rule". Then select New Lockdown rule and provide the following:
    Name: (Type in the rule name)
    Log-only mode: (Enabled: Do NOT take any action | Disabled: Take action)
  6. Click Save & Assign to go back to Add Policy screen.
  7. Click Save to save and deploy the policy to the endpoints.
 
Everytime an endpoint applies a "Lockdown Policy", it triggers an Inventory Scan to create SHA-1 hashes of all present applications on the endpoint and can reduce system performance. To reduce the impact of the Inventory Scan, follow the Deployment Planning and Product Sizing Guide in EAC 2.0 Patch 1 Best Practice Guide.

Option 2: Default Deny Policy

This type of policy combines Block and Allow Rules into a single policy that works together to deny unknown applications from executing on a specified directory while authorizing some. EAC 2.0 Patch 1 Best Practice Guide discusses about commonly used folder paths by malwares, particularly Ransomwares to perform its payload such as encrypting important and sensitive data.

To deploy Default Deny Policy, follow these steps:

  1. Logon to the Endpoint Application Control Web Management Console.
  2. Go to Management > Policies tab.
  3. Click the "+Add Policy" drop-down and select New.
  4. The Add Policy screen appears. Provide the following:
    Name: (Specify a name for the policy)
    Users and Endpoints: (Select the target device or user that will apply the policy)
  5. Expand the "Rules" tab and click the "+Assign Rule". Then select the following rule-types:
    • "New Block" rule:
      1. Provide the following:
        Name: (Type in the rule name)
        Log-only mode: (Enabled: Do NOT take any action | Disabled: Take action)
      2. Expand "Blocked applications" and change the "Match Using" to "File paths". Then use the "Specify file paths to block:" to add folder locations:
        Location: Any local storage
        C:\Users\*\AppData\Roaming\*
        C:\Users\*\AppData\Local\*
        C:\Documents and Settings\*\Application Data\*
        Location: Any removable storage
        \*
        Location: Network Path
        \*
        For the complete list of Windows Common folder variables, click here.
      3. Click Save & Assign to go back to the Add Policy screen.
    • "New Allow" rule:
      1. Provide the following:
        Name: (Type in the rule name)
        Log-only mode: (Enabled: Do NOT take any action | Disabled: Take action)
      2. Expand "Allowed applications" and change the "Match Using" to either "Known application dynamic search" or the "Certified Safe Software list". Then fill-out the "Search for applications to allow:" to specify target applications.
         
        It is recommended to start your allow rule by adding installed applications on the endpoint. You may get the list of currently installed applications in the Add/Remove or Programs and Features control panel window.
      3. Expand the "Rule options" and select "Trusted Source" level to "Medium".
         
        Important: Do not give any level of trust on web browsers (IE, Mozilla Firefox, Google Chrome, etc.) This is because it grants execute rights to applications that are executed within the browser itself, bypassing any block rules. It is recommended to create a dedicated "Allow" rule for web browsers where the level of trust is set to "none".
      4. Click Save & Assign to go back to Add Policy screen.
  6. Click Save to save and deploy the policy to endpoints.

For assistance in setting up and configuring EAC, please contact us through any of our Support Hotline Channels.

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1114310
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.