Configure Anti-Ransomware Protection

Anti-Ransomware Protection
MPM provides additional protection against ransomware. The module targets encryption-based activity associated with ransomware with the ability to analyze and halt ransomware activity before any data loss occurs.
In a ransomware attack, typically the attacker uses DLLs, macros, shellscripts and other methods to encrypt important data and holds the data hostage until the user pays a ransom to unlock the data. To combat these attacks, Traps detects the behavior and prevents the ransomware from encrypting and holding files hostage.
Like other MPMs, you can configure the module to operate in either notification or prevention mode. When you configure the module to operate in prevention mode, Traps blocks the process exhibiting ransomware behavior. When you configure this module in notification mode, Traps logs a security event for each process once per minute. This means that if the same process exhibits ransomware behavior within a minute of the first attempt, Traps ignores the event. This prevents the Traps agent from logging and reporting an excessive number of events.
The Anti-Ransomware Protection module is enabled by default on Windows endpoints that use the following file system formats: NTFS, FAT, and exFAT.
To disable or change your anti-ransomware protection policy, use the following workflow:
  1. From the ESM Console, select
    Protection Modules
  2. Select the
  3. Select
    Anti-Ransomware Protection
    and then configure the rule settings.
    • Activation
      to enable anti-ransomware protection or
      to disable protection. In situations where disk encryption software must encrypt files, consider configuring a rule to disable protection on that process.
    • Action
      —Select the action to take when Traps detects an attempt to encrypt protected files: Select
      (recommended) to block the process from encrypting the files. To permit a specific process (such as disk encryption software) to encrypt files, select
      . In notification mode, Traps logs the issue but does not block the encryption activity. Alternatively, you can choose to
      the behavior from the preceding rule in the rule hierarchy.
    • User Alert
      —Specify the notification behavior when a process attempts to encrypt files, either
      to notify the user, or
      to suppress notifications. Alternatively, you can choose to
      the behavior from the preceding rule in the rule hierarchy.
  4. Select the
    tab and
    one or more source processes to which Traps will apply anti-ransomware process protection.
    As you type, the ESM Console provides auto-completion based the list of processes defined in the ESM Console.
    If you do not specify a process, the rule applies to all processes.
  5. (
    ) Add Conditions to the rule. By default, a new rule does not contain any conditions.
    To specify a condition, select the
    tab, select the condition in the Conditions list, and then
    it to the Selected Conditions list. Repeat this step to add more conditions, as needed. You can also define new Conditions.
  6. (
    ) Define the Target Objects to which to apply the rule.
    To define a smaller subset of target objects, select the
    tab, and then enter one or more
    AD Users
    AD Computers
    AD Groups
    AD Organizational Unit
    Existing Endpoints
    , or
    Existing Groups
    in the Include or Exclude areas. The Endpoint Security Manager queries Active Directory to verify the users, computers, groups, or organizational units. The ESM Console also offers autocompletion as you type for existing endpoints and existing virtual groups.
  7. (
    ) Review the rule name and description. The ESM Console automatically generates the rule name and description based on the rule details but permits you to change these fields, if needed.
    To override the autogenerated name, select the
    tab, clear the
    Activate automatic description
    option, and then enter a rule name and description of your choice.
  8. To save the rule, do either of the following:
    • Save
      the rule and
      it later from the rule management page.
    • Apply
      the rule to activate it immediately. The ESM Server distributes the rule at the next heartbeat communication with the agent.
    After saving or applying a rule, you can return to the
    Protection Modules
    page at any time to
    the rule.
  9. To view security events triggered by the Anti-Ransomware Protection MPM, see the
    Malware Modules
    • Prevention events—
      Security Events
      Malware Modules
    • Notification-only events—
      Security Events
      Malware Modules
    Each security event identifies the source process and the location of the target file.

Recommended For You