Endpoint Protection

Hi All,

A few days ago we had a computer infected with .zepto ransomeware. It was access by someone opening an invoice (word doc) thinking it was legit through Hotmail. Now while there are other avenues to preventing this (stopping access to Hotmail is one way)

Im more interested what else more can be done at the SEP client level?

I came across a SEP forum post in using Application device control and while i did test that. I get bombarded with 900 entries of any minor/major legit changes to file formats. Which I dont think is going to work for me.

Is there anything else someone can poin/discuss with me

Thank you

ZC

Symantec has multiple articles with some helpful stuff:

Ransomware removal and protection with Symantec Endpoint Protection

Additional information about Ransomware threats

Preventing ransomware attacks with Download Insight

Application control is really helpful and does a great but as you've seen it will take tuning to get it to what works for you. Using System Lockdown (whitelisting) is another option, but again, much tuning may be needed to start.

If ADC or System Lockdown are not much of an option than make sure you have your AV policy set to be more secure, may need to kick Download Insight up a notch or two (more false positives potentially), use SONAR, and IPS as well.

There are options outside of SEP as well:

https://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updated

What does your perimeter look like? Mail gateway scanning, NIPS, firewall in place and tuned?

Hi ZC,

ADC is one additional step, but there are other measures that should be taken as well.

Hardening Your Environment Against Ransomware
https://www.symantec.com/connect/articles/hardening-your-environment-against-ransomware

With thanks and best regards,

Mick