Endpoint Protection

 View Only

  • 1.  Had a Zepto And Now Some Questions

    Posted Aug 17, 2016 11:24 AM

    Hi Everybody

    Well well ... As you can tell from the title, it happened: A user has been so keen to open a DOCM, which has dropped an EXE and then encrypted the workstation and the shared network drive.

    After some investigation (on the next day, after recovering, when the questions "why", "what" and "how" have been raised), I found an entry in the SEP Risk monitor.
    This entry indicates that the user indeed must have been willingly allowing the file.

    In the "Risk Detection" part of the detailed event view, the following is written:

    Date found: 2016.08.15 13:32:48
    Description: "AP realtime deferred scanning"
    Actual action: Left alone
    Specified primary action: Prompt
    Specified secondary action: Allowed by user
    Detection source: Auto-Protect
    Risk detection method: Heuristic Detection
    URL tracking: On
    Source computer:  
    Event type: Application allowed
    Database insert date: 2016.08.15 13:56:21
    Event end date: 2016.08.15 13:32:48
    Event client date: 2016.08.15 13:32:48

    Permitted application reason:

    		 Permitted by user allow

    To me, this raises various questions:

    • In no policy, there is a setting to be found which would give the user a chance to "allow" an application that could possibly be harmful.
    • Am I missing a configuration possibility? I definitely do NOT want the user to be able to trust or allow anything!

    Basically, what happened is that the DOCM dropped the EXE and it did not get stopped.
    Is there any possibility to configure SEP to prevent this behaviour? Under normal circumstances, Office documents should not drop anything executable.

    The version of the SEP client is 12.1.6318.6100

    Any help or input?

    PS: It was ferdoxs.exe that got dropped: 02469222C9895FCBDCBE8264FADFBD8150D649A08E42EA2C476B6A33203E21C5



  • 2.  RE: Had a Zepto And Now Some Questions

    Posted Aug 17, 2016 12:54 PM

    In your AV policy on the Download Protection tab what is the file sensitivity level set to? Default is 5 but I would consider moving to 6/7 and monitoring from there (false postives will increase). Also, look at the Actions tab. First Action should be delete or quarantine with the second being delete or quarantine. Also ensure unproven files are not set to Prompt. I suspect it is if the user was able to allow it through. This should also be changed.

    You can use an application control policy to deal with office docs. A few links to review here:

    https://www.symantec.com/connect/articles/ac-and-hi-policy-help-ransomware

    https://www.symantec.com/connect/articles/detecting-cryptolocker-activity-symantec-endpoint-protection

    https://www.symantec.com/connect/articles/strengthening-anti-virus-security-prevent-ransom-ware-derivative-trojancryptolocker-family-



  • 3.  RE: Had a Zepto And Now Some Questions

    Posted Aug 18, 2016 04:46 AM

    Hi flutti,

    Thanks for the post.  First off, here's the article you are likely looking for:

    How to disable deferred scanning in Auto-Protect for Symantec Endpoint Protection
    http://www.symantec.com/docs/TECH224108

    That sample is indeed Zepto/Locky, though its characteristics led it to be assigned a different classification (Trojan.Cridex) when it was examined.  You have indeed located the correct file. https://www.virustotal.com/es/file/02469222C9895FCBDCBE8264FADFBD8150D649A08E42EA2C476B6A33203E21C5/analysis/

    There are many new unique ransomlocker samples released into the wild every day, and they are designed and tested to evade most security products (for a short window of time, at least).  It is important to educate end users, harden the environment, and fight them at every stage of their delivery and execution.

    This article will help prevent the delivery of future cryptolocker downloaders:

    Support Perspective: W97M.Downloader Battle Plan
    https://www-secure.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan

    A new white paper:

    Special Report: Ransomware and Businesses 2016
    https://www.symantec.com/connect/blogs/report-organizations-must-respond-increasing-threat-ransomware

    A good article:

    Ransomware protection and removal with Symantec Endpoint Protection
    http://www.symantec.com/docs/HOWTO124710

    Please do add any extra questions to this thread, or mark it solved if you have received your answer.

    With thanks and best regards,

    Mick



  • 4.  RE: Had a Zepto And Now Some Questions

    Posted Aug 19, 2016 04:44 AM

    Hi flutti,

    Just a ping to see if you have any further questions?  The thread is still marked "needs solution."

    With thanks and best regards,

    Mick



  • 5.  RE: Had a Zepto And Now Some Questions

    Posted Aug 26, 2016 04:56 AM

    Well well, the hint with the Download Protection actions already did the job to start off with.

    What exactly does the disabling of deferred scanning add to this in my case?

    Of course, there are many Crypto Lockers released every day, but a ZeroDay remains a ZeroDay.
    Fortunately, we are tackling the ZeroDay issue soon with a different solution.

    In the meantime, all we can do (and basically everyone) is to watch out and react if there is any suspocious activity.
    And mostly: Be lucky not to catch too much of these pains.