Endpoint Protection

 View Only
Back to Library

Detecting Cryptolocker activity with Symantec Endpoint Protection 

Mar 31, 2016 12:01 PM

1. Create an "Application and Device Control" rule.

"Apply this rule to the following processes:" *

 

5.JPG

Add "File and Folder Access Attempts"

1.1. "Properties" of File and Folder Access Attempts

1.JPG

Apply to the following files and folders:

decrypt all*.txt

decrypt_instruction*.txt

*.doc.???????

*.docx.???????

*.xls.???????

*.xlsx.???????

*.pdf.???????

*.rtf.???????

*.txt.???????

*.zip.???????

*.pst.???????

*.locky

*.crypted

*.encryptedRSA

do not apply the following files and folders:

*.???.???

*.partial

1.2. "Actions":

2.JPG

 

Under the "Launch Process Attempts":

properties:

6.JPG

Apply to the following processes:

new "cryptolocker" and "download.ponic" variants md5's

Actions:

7.jpg

Terminate process, Enable logging, severity - 0, Send e-mail alert.

 

2. Create a "Notification condition" under Monitors/Notifications:

4.JPG

 

Done.

When the malware makes an action (encrypts any files), SEPM generates a mail to system administrators.

 

 

 

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

John Santana
Jul 18, 2016 08:08 PM

Cool, so I will create some policy to test before applying it to the production servers.

Thanks Brian !

ℬrίαη
Jul 18, 2016 07:54 PM

No you need to assign a policy for it.

John Santana
Jul 18, 2016 07:16 PM

Brian,

Does the "application and device control" is enabled by default when full stack of SEP client is enabled / deployed ?

ℬrίαη
Jul 18, 2016 08:56 AM

Detects alot.

You need application and device control enabled.

John Santana
Jul 18, 2016 08:53 AM

Hi Viktor,

Is this only to detect one version or variant of Cryptolocker or it can be used for all type of Cryptolocker ?

Do you have to enable the full stack of SEP client in order to get email alert ?

Viktor Guba
Apr 14, 2016 09:19 AM

New file types:

HELP_YOUR_FILES.*
.fun
.sanction
HOW_TO_DECRYPT.*

Viktor Guba
Apr 07, 2016 03:21 PM

Hi, Tony

Here is some MD5 and SHA256 sum:

https://www.secureworks.com/research/cryptolocker-ransomware

Other way: search with Google eg.: "cryptolocker md5 list", "cryptolocker md5 site:virustotal.com", "locky md5 site:virustotal.com"

 

TonyS
Apr 07, 2016 10:25 AM

This is brillant idea, would you be able to share the MD5 for "Launch Process Attempts" so we can use them as well?

Cheers.

ℬrίαη
Apr 01, 2016 02:22 PM

Yes

Sulman Mushtaq Mushtaq Hussain
Apr 01, 2016 10:24 AM

Hi Brain have you using any policy similar like this ?

 

 

ℬrίαη
Apr 01, 2016 08:07 AM

If you're concerned, set it to test mode first.

There's also one here by Symantec:

https://www-secure.symantec.com/connect/blogs/defeat-powerware-using-sep-application-control-policies

Sulman Mushtaq Mushtaq Hussain
Apr 01, 2016 06:52 AM

Hi nice share , really appreciated it. Have you tested it and does it work fine . Can I use this in my production network to be safe from Crtypto Locker is this policy safe to use without impacting anything ?

Thanks 

Related Entries and Links

No Related Resource entered.