Endpoint Protection

Hi People,

Does SEP client v 12.1 (the latest) can be configured to send email alert to the team when there is suspicious Ransomware activity going on ?

The below free software seems promisong but obviously I'd like to stay using Symantec if possible.

McAfee Ransomware Interceptor
McAfee Free Tools including McAfee Ransomware Interceptor can be downloaded from: http://www.mcafee.com/us/downloads/free-tools/index.aspx

,,

Any help and suggestion would be greatly appreciated.

Thanks,

Only what is built into the SEPM for alerting. You can alert on Single risk events, new risks, or outbreaks. Interceptor is specific to Ransomware. SEP clients would alert on all detections, not just ransomware.

Thanks Brian,

But I believe by default SEPM cannot send email alert when my client workstation is infected by the ransomware few months ago.

It can if you have email alerts configured for the various risk triggers. There are multiple ones to choose from.

We got hit with zepto and SEP did not even blink at it, I guess our deployment wasn't 100% with host integrity, proactive threat protection etc.

And you should never rely on any AV for ransomware attacks in the first place, look into applocker and GPO-SRP which are far superious methods to stop ransomware(once it reaches your endpoints) in particular.

Hi John,

Thanks for the post.  SEP / Symantec does not have a specific alerting  mechanism that reports, "hey, these files are getting encrypted!"  SONAR/PTP has some signatures which look for suspicious encrypting behavior and stops it.  MS has a cool FSRM policy that can both block and alert when this activity takes palce on a file server- see 

Hardening Your Environment Against Ransomware
https://www.symantec.com/connect/articles/hardening-your-environment-against-ransomware

for full details.

These articles may also be of interest:

Support Perspective: W97M.Downloader Battle Plan
https://www-secure.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan

Special Report: Ransomware and Businesses 2016
https://www.symantec.com/connect/blogs/report-organizations-must-respond-increasing-threat-ransomware

Please do keep this thread up-to-date with your progress!

With thanks and best regards,

Mick  

Yes, that's what hit me as well last few weeks ago.

The SEP deployment was all features enabled, but still it is not helping at all.

Hi Mick,

I'm inerested in the below feature that you mentioned.

SONAR/PTP has some signatures which look for suspicious encrypting behavior and stops it.

All of my SEP clients on owrkstations has been enabled, so how do I reconfigure it to stop the suspicious encrypting behaviour ?

Hi John,

Just ensure SONAR/PTP is installed and enabled and those signatures will tsake action when triggered.  Like any other security measure it will reduce the chance of damage.

Many thanks,

Mick

Was the attack vector .docm files through email?

In that case the .docm itself contained w97downloaderM which then downloads the encryption payload i think, but sep still failed to block any of it.

I think this should be expected and prepare for in advance, malicous payloads should never reach the endpoints.

Exactly yes rationalnetworks,

It comes from the personal email account and then executed by the user in the office workstation, the damage was the file server & one desktop is encrypted.

So what's your security measuer now to prevent it ?

Why even allow personal email access from work?

And for your corp network just you can look up a list of attachments to block.

And take a look at GPO-SRP and applocker features which you use with MS-AD domains.