Configure Anti-Ransomware Protection

The
Anti-Ransomware Protection
MPM provides additional protection against ransomware. The module targets encryption-based activity associated with ransomware with the ability to analyze and halt ransomware activity before any data loss occurs.
In a ransomware attack, typically the attacker uses DLLs, macros, shellscripts and other methods to encrypt important data and holds the data hostage until the user pays a ransom to unlock the data. To combat these attacks, Traps detects the behavior and prevents the ransomware from encrypting and holding files hostage.
Like other MPMs, you can configure the module to operate in either notification or prevention mode. When you configure the module to operate in prevention mode, Traps blocks the process exhibiting ransomware behavior. When you configure this module in notification mode, Traps logs a security event for each process once per minute. This means that if the same process exhibits ransomware behavior within a minute of the first attempt, Traps ignores the event. This prevents the Traps agent from logging and reporting an excessive number of events.
The Anti-Ransomware Protection module is enabled by default on Windows endpoints that use the following file system formats: NTFS, FAT, and exFAT.
To disable or change your anti-ransomware protection policy, use the following workflow:
  1. From the ESM Console, select
    Policies
    Malware
    Protection Modules
    .
  2. Select the
    Windows
    tab.
  3. Select
    manage-hidden-menu-icon.png
    Add
    Anti-Ransomware Protection
    and then configure the rule settings.
    anti-ransomware-protection.png
    • Activation
      —Select
      On
      to enable anti-ransomware protection or
      Off
      to disable protection. In situations where disk encryption software must encrypt files, consider configuring a rule to disable protection on that process.
    • Action
      —Select the action to take when Traps detects an attempt to encrypt protected files: Select
      Prevention
      (recommended) to block the process from encrypting the files. To permit a specific process (such as disk encryption software) to encrypt files, select
      Notification
      . In notification mode, Traps logs the issue but does not block the encryption activity. Alternatively, you can choose to
      Inherit
      the behavior from the preceding rule in the rule hierarchy.
    • User Alert
      —Specify the notification behavior when a process attempts to encrypt files, either
      On
      to notify the user, or
      Off
      to suppress notifications. Alternatively, you can choose to
      Inherit
      the behavior from the preceding rule in the rule hierarchy.
  4. Select the
    Processes
    tab and
    Add
    one or more source processes to which Traps will apply anti-ransomware process protection.
    As you type, the ESM Console provides auto-completion based the list of processes defined in the ESM Console.
    If you do not specify a process, the rule applies to all processes.
  5. (
    Optional
    ) Add Conditions to the rule. By default, a new rule does not contain any conditions.
    To specify a condition, select the
    Conditions
    tab, select the condition in the Conditions list, and then
    Add
    it to the Selected Conditions list. Repeat this step to add more conditions, as needed. You can also define new Conditions.
  6. (
    Optional
    ) Define the Target Objects to which to apply the rule.
    To define a smaller subset of target objects, select the
    Objects
    tab, and then enter one or more
    AD Users
    ,
    AD Computers
    ,
    AD Groups
    ,
    AD Organizational Unit
    ,
    Existing Endpoints
    , or
    Existing Groups
    in the Include or Exclude areas. The Endpoint Security Manager queries Active Directory to verify the users, computers, groups, or organizational units. The ESM Console also offers autocompletion as you type for existing endpoints and existing virtual groups.
  7. (
    Optional
    ) Review the rule name and description. The ESM Console automatically generates the rule name and description based on the rule details but permits you to change these fields, if needed.
    To override the autogenerated name, select the
    Name
    tab, clear the
    Activate automatic description
    option, and then enter a rule name and description of your choice.
  8. To save the rule, do either of the following:
    • Save
      the rule and
      Activate
      it later from the rule management page.
    • Apply
      the rule to activate it immediately. The ESM Server distributes the rule at the next heartbeat communication with the agent.
    After saving or applying a rule, you can return to the
    Policies
    Malware
    Protection Modules
    page at any time to
    Delete
    or
    Deactivate
    the rule.
  9. To view security events triggered by the Anti-Ransomware Protection MPM, see the
    Malware Modules
    pages:
    • Prevention events—
      Security Events
      Preventions
      Malware Modules
      .
    • Notification-only events—
      Security Events
      Notifications
      Malware Modules
      .
    Each security event identifies the source process and the location of the target file.

Recommended For You