Heimdal Assistance and Support Help Center home page

Articles in this section

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.

Ransomware Encryption Protection (macOS)

Last updated

In this article, you will learn everything you need to know about the Ransomware Encryption Protection module. REP has the purpose of detecting processes that encrypt files on the endpoint with malicious intent. 

1. Description
1. How does Ransomware Encryption Protection work?
3. HEIMDAL Agent - Ransomware Encryption Protection
4. Ransomware Encryption Protection view
5. Ransomware Encryption Protection settings

DESCRIPTION

Ransomware Encryption Protection is a revolutionary 100% signature-free solution that protects your devices against malicious encryption attempts initiated during ransomware attacks. Ransomware Encryption Protection extends the functionality of the traditional antivirus, becoming a solution capable of preventing and protecting your endpoints against any type of ransomware attack. 

HOW DOES RANSOMWARE ENCRYPTION PROTECTION WORK?

Ransomware Encryption Protection operates on behavioral analysis (it triggers detections based on rules that mimic ransomware behavior) and processes kernel events for I/O reads, writes, directory enumeration, and file execution. Patterns are matched against the collected events after studying the same patterns that are being created by actual ransomware. The engine will allow approximately 3 average-size files (depending on the size of the files and the ransomware speed, more files could get encrypted. For example, ransomware could easily encrypt more than 3 files sizing 20 KBs) to get encrypted until it gives the verdict that the process is suspicious. Once flagged, details about the suspicious process are gathered and sent to the HEIMDAL servers. These details include the process command line arguments, the network connections (IP Address and Port), read/write operation count at the moment of detection, and the process tree from the suspicious process with trace-back to the root process. The Ransomware Encryption Protection module is based on the new Windows service called Heimdal Insights. The service is responsible for permanently scanning the active processes and mapping out each process action, as well as searching for encryption patterns in the running processes. The Heimdal Insights service will run only if the module is enabled in the Group Policy. If REP is disabled in the Group Policy, the Heimdal Insights service will be present but will not run.

HEIMDAL AGENT - RANSOMWARE ENCRYPTION PROTECTION

The HEIMDAL Agent displays information about the Found Detections, the Total Processes, and the Latest Detection time. The Ransomware Encryption Protection section includes information about the number of detections, the Process Name, the PID, the Owner, the Date, and the Status.
 

RANSOMWARE ENCRYPTION PROTECTION view

The Ransomware Encryption Protection view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the detected processes intercepted by the HEIMDAL Agent engine. At the top, you see a statistic regarding the number of Detections Found.

chrome_n1YgITM94R.png

The collected information is placed in the following views: Endpoint Detections, Hostname/Detections, and Cloud Detections.
 

  • Endpoint Detections
    This view displays a table with the following details: Hostname, Username, Process Name, Blocking Reason, PID, Owner, Status, and Timestamp. This view allows you to select one or multiple infected files and exclude them or add them to storage
    chrome_phuSEMF8Vo.png
    In the Process Name column, you can click on the hamburger menu to access VirtusTotal (to get a detailed VirusTotal analysis), the Forensic details (to get the Process details), or copy the file path to the clipboard. The Statuses can be Blocked (when a process is intercepted and blocked at the REP level) or Detected (when the process is intercepted and reported in the HEIMDAL Dashboard when Reporting mode is enabled).  Please be aware that we have a retention policy of 90 days in place for the REP entries. That means that all the entries from the Endpoint Detections view older than 90 days will be removed.
  • Hostname/Detections
    This view displays a table with the following details: Hostname, Username, and Number of Matches.
    chrome_rycI9jqlma.png
     
  • Cloud Detections
    This view displays a table with the following details: Email, AD Groups, Number of affected files, User's session revoked, and Timestamp. This view is populated if Ransomware Encryption Protection for Cloud is enabled.
    cloud_detections.PNG
     

The Process Details view gives information on the parent process and the spawned processes, their PIDs, username, File Name, Path, Command-Line, Thread Count, top 3 encrypted files, Write Operations, Read Operations, MD5, Signature, and Owner
chrome_3Fpgw7RTQP.png
You also get information on the Network Activity of the detected process, where you can select one or multiple IP Addresses to block them in the Firewall (on one, multiple, or all Group Policies).
chrome_Yj206WfTu8.png
Exclusions can be made by selecting one or more detections and by pressing the Exclude and Apply buttons from the dropdown menu. This will pop up the following modal that allows you to exclude the file(s) on one or multiple Group Policies, or all Group Policies. The detection(s) can be excluded by File Name, Folder Path, File Path or MD5:
chrome_brCigf0i1Z.png

The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Allowed or Blocked detections. 

RANSOMWARE ENCRYPTION PROTECTION settings

The Ransomware Encryption Protection module detects processes that perform encryption operations on files on the endpoint with malicious intent. The product is processing kernel events for IO reads, writes, directory enumeration, and file execution. Patterns are matched against the collected events after studying the same patterns that are being created by actual ransomware. The engine will allow 3 files to get encrypted until it gives the verdict that the process is suspicious. Once flagged, details about the suspicious process are gathered and sent to the Heimdal servers.
rep.PNG
Ransomware Encryption Protection - turn ON/OFF the Ransomware Encryption Protection module;

General Settings

Reporting mode - enabling it will report the processes detected by Ransomware Encryption Protection without blocking them.
Agent Balloon Notifications - allows you to turn ON/OFF the Agent balloon notifications when encryption is detected;
Agent Balloon Notification Persistence - this feature will allow you to see the agent balloon notification until you close it.
Exclusions - allows you to exclude a filename, file path, directory path, MD5, or wildcard (*\MyFolder\*, *\MyFolder\*.exe, D:\*\MyFolder\*, D:\*\MyFolder\*.exe, *\Folder\app.exe, C:\Folder\*, C:\Folder\*\folder2\app.exe) from being blocked by the REP module. The Exclusions section has a Download button that will download a CSV Report with the exclusions list.

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.