Traps now extends its malware protection capabilities to protect against encryption-based activity associated with ransomware with the new Anti-Ransomware Protection module. The new malware protection module (MPM) adds a new layer to Trap’s existing ransomware prevention capabilities with the ability to analyze and halt ransomware activity before any data loss occurs.
In a ransomware attack, typically the attacker uses DLLs, macros, shellscripts and other methods to encrypt important data and holds the data hostage until the user pays a ransom to unlock the data. To combat these attacks, Traps employs decoy files to attract the ransomware. Although these decoy files are typically hidden from most legitimate processes, they can be visible in some cases. Traps names these files with special characters such as !!!!! or zzzz; However, Palo Alto Networks can distribute changes to both the names and locations of these files using content updates. When the ransomware attempts to write to, rename, move, delete, or encrypt the decoy files, Traps analyzes the behavior and prevents the ransomware from encrypting and holding files hostage.
Like other MPMs, you can configure the module to operate in either notification or prevention mode. When you configure the module to operate in prevention mode, Traps blocks the process attempting to manipulate the decoy files. When you configure this module in notification mode, Traps logs a security event for each process once per minute. This means that if the same process attempts to manipulate another decoy file within a minute of the first attempt, Traps ignores the event. This prevents the Traps agent from logging and reporting an excessive number of events.
The Anti-Ransomware Protection module is enabled by default on Windows endpoints that use the following file system formats: NTFS, FAT, and exFAT.
To disable or change your anti-ransomware protection policy:
- From the ESM Console, Configure Anti-Ransomware Protection.
- To view security events triggered by the Anti-Ransomware
Protection MPM, see the Malware Modules pages:
Each security event identifies the source process which exhibited ransomware behavior, and the location of the target file.
- Prevention events—Security EventsPreventionsMalware Modules.
- Notification-only events—Security EventsNotificationsMalware Modules.
Configure Anti-Ransomware Protection
Configure Anti-Ransomware Protection The Anti-Ransomware Protection MPM provides additional protection against ransomware. The module targets encryption-based activity associated with ransomware with the ability to analyze ...
Malware Protection Rules
Malware Protection Rules A malware protection rule prevents the execution of malware, often disguised as or embedded in non-malicious files, by using malware modules to ...
Features Introduced in Traps Endpoint Security Manager
Features Introduced in Traps Endpoint Security Manager The following topics describe the new features introduced in Traps Endpoint Security Manager (ESM) 4.1. For additional information ...
Malware Protection Overview
Malware Protection Overview Malicious files, known as malware, are often disguised as or embedded in non-malicious files. These files can attempt to gain control, gather ...
Issues Addressed in Traps Endpoint Security Manager 4.1.3
Issues Addressed in Traps Endpoint Security Manager 4.1.3 The following table lists the issues that are addressed in the Traps™ 4.1.3 release. For new features ...
Default Protection Policy
Default Protection Policy The Endpoint Security Manger is preconfigured with a default security policy which contains a curated set of Malware Protection Rules and Exploit ...
Issues Addressed in Traps Endpoint Security Manager 4.1.1
Issues Addressed in Traps Endpoint Security Manager 4.1.1 The following table lists the issues that are addressed in the Traps Endpoint Security Manager 4.1.1 release. ...
Manage Malware Protection Rules
Manage Malware Protection Rules Malware protection rules enable you to restrict malware-related behavior. When enabled, these modules use a whitelist model that allows process injection ...