Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Best Practice Configuration against WannaCry Ransomware Attack for Endpoint Application Control (EAC)

    • Updated:
    • 1 Jun 2017
    • Product/Version:
    • Endpoint Application Control 2.0
    • Platform:
    • Windows All
Summary

On the 12th of May, 2017, the ransomware known as "WannaCry" hit worldwide, targetting Windows-based computers by encrypting data and demanding Bitcoin ransom payments. WannaCry propagates using EternalBlue, an exploit of Windows' Server Messege Block (SMB) protocol. The image below shows the infection chain of this type of malware:

See WannaCry/Wcry Ransomware for more information.

WannaCry Ransomware circumvents security solutions by dropping ransomware payloads in Windows folder such as the file cryptor (tasksche.exe) to avoid being detected. Use this article to configure EAC to stop WannaCry Ransomware attack in your Windows environment.

Details
Public

To protect endpoints from WannaCry/WCry or similar ransomware using TMEAC, do the following:

  1. Install or upgrade to TMEAC v2.0 SP1 Patch 1 Build 1550.
  2. Create and deploy Device Lockdown Policy to vulnerable endpoints. Do the following:
    1. Login to EAC Web UI and go to Management > Policies.
    2. Click +Add Policy and select *New.
    3. Provide the following information:
      • Name: Device Lockdown Policy
      • Users and Endpoints: <select target user or endpoint>
    4. Expand the Rules tab.
    5. Click +Assign Rule and select New Lockdown.
       
      If a Lockdown rule exists, select Existing instead and search for the Lockdown rule to assign to the policy.
    6. Uncheck the Always allow all applications in the Windows directory (overrides Block and Lockdown rules) checkbox.
    7. Click Save to start applying the policy to endpoints.

Alternately, you can download the Device Lockdown Policy Template here and import it to your current Application Control policy list.

If further assistance is needed, contact Trend Micro Technical Support.

Premium
Internal
Rating:
Category:
Configure; Remove a Malware / Virus
Solution Id:
1117500
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.