Configure Anti-Ransomware Protection
Anti-Ransomware ProtectionMPM provides additional protection against ransomware. The module targets encryption-based activity associated with ransomware with the ability to analyze and halt ransomware activity before any data loss occurs.
In a ransomware attack, typically the attacker uses DLLs, macros, shellscripts and other methods to encrypt important data and holds the data hostage until the user pays a ransom to unlock the data. To combat these attacks, Traps detects the behavior and prevents the ransomware from encrypting and holding files hostage.
Like other MPMs, you can configure the module to operate in either notification or prevention mode. When you configure the module to operate in prevention mode, Traps blocks the process exhibiting ransomware behavior. When you configure this module in notification mode, Traps logs a security event for each process once per minute. This means that if the same process exhibits ransomware behavior within a minute of the first attempt, Traps ignores the event. This prevents the Traps agent from logging and reporting an excessive number of events.
The Anti-Ransomware Protection module is enabled by default on Windows endpoints that use the following file system formats: NTFS, FAT, and exFAT.
To disable or change your anti-ransomware protection policy, use the following workflow:
- From the ESM Console, select.PoliciesMalwareProtection Modules
- Select theWindowstab.
- Selectand then configure the rule settings.AddAnti-Ransomware Protection
- Activation—SelectOnto enable anti-ransomware protection orOffto disable protection. In situations where disk encryption software must encrypt files, consider configuring a rule to disable protection on that process.
- Action—Select the action to take when Traps detects an attempt to encrypt protected files: SelectPrevention(recommended) to block the process from encrypting the files. To permit a specific process (such as disk encryption software) to encrypt files, selectNotification. In notification mode, Traps logs the issue but does not block the encryption activity. Alternatively, you can choose toInheritthe behavior from the preceding rule in the rule hierarchy.
- User Alert—Specify the notification behavior when a process attempts to encrypt files, eitherOnto notify the user, orOffto suppress notifications. Alternatively, you can choose toInheritthe behavior from the preceding rule in the rule hierarchy.
- Select theProcessestab andAddone or more source processes to which Traps will apply anti-ransomware process protection.As you type, the ESM Console provides auto-completion based the list of processes defined in the ESM Console.If you do not specify a process, the rule applies to all processes.
- (Optional) Add Conditions to the rule. By default, a new rule does not contain any conditions.To specify a condition, select theConditionstab, select the condition in the Conditions list, and thenAddit to the Selected Conditions list. Repeat this step to add more conditions, as needed. You can also define new Conditions.
- (Optional) Define the Target Objects to which to apply the rule.To define a smaller subset of target objects, select theObjectstab, and then enter one or moreAD Users,AD Computers,AD Groups,AD Organizational Unit,Existing Endpoints, orExisting Groupsin the Include or Exclude areas. The Endpoint Security Manager queries Active Directory to verify the users, computers, groups, or organizational units. The ESM Console also offers autocompletion as you type for existing endpoints and existing virtual groups.
- (Optional) Review the rule name and description. The ESM Console automatically generates the rule name and description based on the rule details but permits you to change these fields, if needed.To override the autogenerated name, select theNametab, clear theActivate automatic descriptionoption, and then enter a rule name and description of your choice.
- To save the rule, do either of the following:
After saving or applying a rule, you can return to thepage at any time toPoliciesMalwareProtection ModulesDeleteorDeactivatethe rule.
- Savethe rule andActivateit later from the rule management page.
- Applythe rule to activate it immediately. The ESM Server distributes the rule at the next heartbeat communication with the agent.
- To view security events triggered by the Anti-Ransomware Protection MPM, see theMalware Modulespages:
Each security event identifies the source process and the location of the target file.
- Prevention events—.Security EventsPreventionsMalware Modules
- Notification-only events—.Security EventsNotificationsMalware Modules
Recommended For You
Recommended videos not found.