This guide’s purpose is to provide OfficeScan and environmental configurations designed to stop Emotet from spreading and clean it as new detections get created.
Below are the settings and configurations to cripple and obliterate Emotet, divided into 2 main sections:
Use outbreak prevention to deny access to share drives in an emergency for multiple or individual computers. If you know the port(s) Emotet is currently using, block them.
Hint: 445 is the SMB port.
Navigate to Agents > Outbreak Prevention > (select computer(s)) > Start Outbreak Prevention
Install the MS17-010 patch on machines ASAP. Emotet uses the same EternalBlue exploit as WannaCry Ransomware. Refer to the Microsoft Security Bulletin MS17-010 - Critical for further details.
For more information on WannaCry and the Eternal Blue exploit, refer to Preventing WannaCry (WCRY) ransomware attacks using Trend Micro products. The Trend Micro WCRY Simple Patch Validation Tool can be used to verify if the MS17-010 patch is installed and disable the SMB1 protocol (run the tool as admin).
Disable the SMBv1 Protocol that Emotet uses to propagate through the network to isolate it to only the machines it has already infected. To do this, add the registry key manually or use the Trend Micro WCRY Simple Patch Validation Tool and then reboot the computer. Computers MUST be rebooted for the disabled protocol to take effect.
Refer to the Microsoft KB on how to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server.
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)
Windows Server 2003 and Windows XP don’t have an SMB protocol beyond SMB1. SMB2 was introduced with Windows Server 2008 and Windows Vista. If you’re dealing with 2003 and XP, keep in mind that there won’t be an MS17-010 patch.
- Enable Predictive Machine Learning for all computers (if on OfficeScan XG or higher).
- Enable the Suspicious Connection Service and set it to “Block”, not “Log Only”.
OfficeScan 11 is more limited in that you may not have a Block option. Enable it regardless.
- Enable Behavior Monitoring and Web Reputation on all computers, including servers. If the computer is accessing a known malicious C&C or URL, Web Reputation will block it. Anti-exploit Protection used to be the only Behavior Monitoring feature that would block (terminate) Emotet (September ~ December of 2017). Just having Behavior Monitoring enabled now should be enough to terminate Emotet. To be absolutely certain it will be terminated, check the box for Anti-exploit Protection.
Enabling Web Reputation and Behavior Monitoring on Server Platforms in OfficeScan
Use these configurations below to manually enable Behavior Monitoring and Web Reputation for servers on OfficeScan XG build 1556 and higher. For OfficeScan 11, Hot Fix 6223 (or inclusive patch) is required for this feature to exist.
This feature already exists without ofcserver.ini modification in XG Service Pack 1 and above. Enable for servers in “Additional Service Settings”, and then turn on the feature(s) for the OfficeScan Agents.
For OfficeScan 11 Build 6223 or OfficeScan XG pre-SP1:
- On the OfficeScan Server, navigate to: (InstallDir)\Trend Micro\OfficeScan\PCCSRV\Private\.
- Stop the OfficeScan Master Service.
- Make a backup copy of ofcserver.ini.
- Copy ofcserver.ini to the Desktop and open it to edit.
- Find the [INI_SERVER_SECTION].
- Add the following lines below it:
- Start the OfficeScan Master Service.
- In Agent Management, verify if you have the option to enable Behavior Monitoring and Web Reputation for Server platforms now.
Please refer to the KB article on Enabling additional service settings for Windows Server Platforms on the Domain level in OfficeScan.
- Make sure all scan types (Real-Time, Manual, Scan Now, Scheduled) is set to scan “All scannable files”.
- Set it to scan files that are “created / modified and retrieved”.
- Make sure “Enable CVE exploit scanning for files downloaded through web and email channels” is checked.
- Customize Actions and enable “Damage Cleanup Services”.
Note that you cannot check the box for Damage Cleanup Services unless you customize the actions you take. If in doubt, set it to Quarantine. This allows you to retrieve a quarantined object later if needed.
Target tab example:
Note that settings does not have to be exactly the same as the example above, as most of these are default. All are scannable files.
Action tab example:
If you are not sure what to set your Actions to, know that CVE exploit can sometimes cause false positive detections. It is recommended to leave it set to Pass or Quarantine. With a Virus, you can Clean it with Quarantine as a second action if the clean fails. Or set everything to Quarantine and address false positives later.
Scheduled Scan Settings
- Make sure the Scheduled Scan is set to run during a time the computers are online, such as lunch.
- Run the scan daily for the duration of the outbreak as this helps keep the machines clean. When new detections are released, previously undetected malware will now get cleaned.
Additional Service Settings
Go to “Additional Service Settings” in Agent Management and make sure that your services (if previously disabled) are enabled, including: Unauthorized Change Prevention Service, Firewall (if using Outbreak Prevention as this is required for it to fuction), Suspicious Connection Service, Advanced Protection Service. Some features of Behavior Monitoring depend on the Advanced Protection Service and Unauthorized Change Prevention Service.
Web Reputation Settings
- Check the option "Block pages containing malicious script".
You may check “Block pages that have not been tested by Trend Micro” in an emergency. If Emotet goes to an unknown URL, the Agent should block it. This setting also blocks legitimate URL’s. If you choose to block Untested sites, you must first uncheck “Send queries to Smart Protection Servers”.
- Check the option "Check HTTPS URLs".