People,

Two common areas where the ransomware typically executes from are the %APPDATA% folder and the %TEMP% folder on the system. 

Looking for any file executing from these locations is a good way to spot ransomware before it has actually had a chance to encrypt files. 

Does SEP client have some rules to monitor for file executions from these folders, as well as to look for file executions from the location and the creation of the files in the above directory ? 

Thanks in advance.

This wild card option is yet to get implimented in SEP 12.

Which variables and wildcards does Endpoint Protection allow in Centralized Exception Policies?

https://support.symantec.com/en_US/article.TECH106068.html

You can use Application and Device Control. For example, to log launching processes from %APPDATA% and %TEMP%, create an ADC ruleset. First,  create a rule with the asterisk "*" as process:

Then a "Launch Process Attempts" condition with %APPDATA%\* and %TEMP%\*:

It's also possible to write %APPDATA\*\* to cover all nested subfolders below %APPDATA% as well.

Under "Actions", allow and log execution:

To log file creation in %APPDATA%, use the "File and Folder Access Attempts" condition instead of "Launch Process Attempts".

HTH!

@Rafeeq, OK, so ifthat is not the case, then what is the suggested implementation plan to prevent the Ransomware incident happening in the file server & workstations ?

@Greg, thanks for the suggestion mate, so with the rule that you've suggested above, it is just basically reporting / sending email alert to IT Team whenever there is suspicious activity happening in those two monitored directory. 

is that correct ?

I assume that when I select Terminate Process or Block it would then stop it safely.

Hi John,

ADC is a good additional extra step toward bolstering defenses against malware and ransomware.  This article may help as well:

https://www.symantec.com/connect/articles/strengthening-anti-virus-security-prevent-ransom-ware-derivative-trojancryptolocker-family-

Definitely be sure to stop those ransomware threats as far away from the file servers as possible- preferably at the mail server!

Support Perspective: W97M.Downloader Battle Plan
https://www-secure.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan

With thanks and best regards,

Mick

@Greg, thanks for the suggestion mate, so with the rule that you've suggested above, it is just basically reporting / sending email alert to IT Team whenever there is suspicious activity happening in those two monitored directory. 

is that correct ?

It's only logging. To send E-Mail, you have to enable the option "Send E-Mail Alert" and create a notification:

Monitors > Notifications > Notification Conditions > Add ... > Client Security Alert. The form could be edited like this: 

I assume that when I select Terminate Process or Block it would then stop it safely.

To stop safely, only use Block access. Don't use Terminate Process which kills the application  (e.g. Windows Explorer) that launches the process you want to block. In worst case the desktop crashes.