Common Anti-virus product vs Ramsonware


(Cesare Vitali) #1

Hi, there are some possibilities for standard Antivirus Product as McAfee VirusScan os similar to fight Ransomware danger, working only on server or central control (like ePO) side.
I working with small companies where users refuse to use security aware policies, so what can I do for secure them without block at all?
I cannot neither use multiple extension mail attachment blocking policies, for application problems.
I think it’s a little frustrating… but I’m open to suggestions
Bye
Cevit


#2

Cevit,
Why not block from firewall? We use SonicWALL appliances that block virus and Ransomware. Also, checkout Webroot for end user and server systems. Webroot support will help with a Ransomware attack if it happens.


#3

I second Webroot - its definitionless. My org uses it and have seen great things from it - very low system resources, being definitionless and cloud based detection methods, its ALWAYS up to date. But remember there are a number of things to take into advisement regarding ransomware - blocking file types on file shares, shadow backups, GOOD backups that cannot be over written, blocking of bot net activity, malware, and and other garbage from the firewall level with web filtering, user education and blocking exe’s vbs’s and bats from running out of all windows temp directories.


(Justin Graves) #4

We started with our firewall and only open ports as needed. And if possible the ports are only allowed to certain IP’s or URL’s.

We also use Webroot which has a decent rollback feature built into it. Webroot is just a great product overall.


#5

Per another user’s comments, your firewall can help here. Many, if not most, Ransomware need to contact their command and control before fully executing. We’ve had success with Cisco Meraki security appliances blocking the outbound traffic to the Ransomware C&C site.


#6

Without a real firewall you’re somewhat naked and local AV will not realistically be effective against anything but crypto’s from last year, maybe. You can lock down the firewall but in many places this is not viable if it impedes users. Variants emerge rapidly, in general local AV is not to be trusted and should not give you a sense of security… If it was, there wouldn’t be such a need for training staff to avoid the phish hooks. Shops out there creating decrypt tools can’t keep up with new variants week to week, although those are tools of last resort anyway.
Do all you can with group policy on the PC’s without pissing off the customers to limit the damage they can do. Make sure they don’t have admin privelages.


(IT) #7

Using Symantec.cloud as CEO Fraud Filter: I have email for about 100 users running through Symantec.cloud for first level of protection. We are a frequent target of CEO Fraud. Bad guys setup a gmail account with a CEO alias and attempt to get AP to wire money. I found a way to craft a rule in Symantec’s “Data Protection” to alert when the variations of CEO name appear in header if the FROM doesn’t match the email address whitelist. Pretty effective. Still need user training, but good alert.