The new module 'Ransomware encryption Protection' has the purpose to detect processes that encrypt files on the endpoint with malicious intent.
In this article you will find:
1. Windows Service - the installation process
2. How it works
4. Dashboard view
1. Windows Service
Upon installing the agent, a new windows service will be installed: Heimdal Insights.
The service is responsible for permanently scanning the active processes and mapping out each process action, as well as searching for encryption patterns in running processes.
The Heimdal Insights service will run only if the module is enabled in the Group Policy.
The module is available only for enterprise customers, not for consumers. Even if the service is being installed, home users will never see it running.
2. How it works
The module is processing kernel events for IO reads, writes, directory enumeration, and file execution. Patterns are being matched against the collected events after studying the same patterns that are being created by actual ransomware. The engine will allow 3 files to get encrypted until it will give the verdict that the process is suspicious. Once flagged, details about the suspicious process are being gathered and sent to the Heimdal servers. Details include the process command line arguments, the network connections (IP and port), read/write operation count at the moment of detection, and as well the process tree from the suspicious process, trace-back until the root process.
* kernel events- some of these rootkits resemble device drivers or loadable modules, giving them unrestricted access to the target computer. These rootkits avoid detection by operating at the same security level as the OS.
Examples include FU, Knark, Adore, Rkit, and Da IOS.
The actual agent has no user interface for this module at this point. However, there is an option in the group policy that will allow the agent to show balloon notifications when a suspicious process event arrives.
4. Dashboard view
You can find this option on the left-side menu, at the Endpoint under your Next-gen Antivirus module.
Latest detections view
The main dashboard view should show the latest detections found, according to the timeframe selected.
There is the ability to filter the events by various columns, and there are 2 icons present in the “Process Name” column: a link to virus total, to check the file based on its MD5, and a (F)orensics icon, that will drill down to inspect the detection further. There’s also the option to export this view as a CSV file.
There is also an option to exclude one or more detections, in case of false positives. Clicking the exclude button (after selecting at least one detection) will bring out a popup, asking the user more details about the exclusion.
The options are to get the exclusion into one or more (or all) group policies, and the exclusion could be done by file name or by file path:
This is the view where you are able to see the hostnames with the most detections:
This option takes the user to the client specifics view, by clicking a hostname from any of Encryption Detection’s main views. Here, the same view as the “Latest detections view” is being shown, filtered by that specific hostname, and without the redundant hostname column.
The same exclude option is available from here, as well:
By clicking the (F)orensics button (or the process name) will navigate the user to the Alert Details page. Here, the whole process tree will be shown, with the suspicious process selected by default and it’s details (network connections, MD5, path, username, etc.) shown.
You are also able to click various nodes ( points) in the tree and it will dynamically show you the node's properties.
In the above view, the user has an option to select one or more network connections and choose to block in firewall (if the module is enabled for the customer) the respective remote IP (Destination IP). Clicking “Block in firewall” will open a similar popup, asking the user for the group policy(policies) for which a new firewall block rule will be created, for that specific IP (the port won't be taken in consideration, all ports will be blocked for the selected IP(s)).
Behavior: The user can verify the encrypted files by going at the same view:
Left view of the Dashboard, under the Endpoint Detection module: Ransomware Encryption Protection - Latest view detection - Click on the Forensics button ( Alert details).
The Encryption Detection settings are found under Endpoint Detection as well. Here you will find a list of options that you can use:
A tick box for enabling/disabling the module, a tick box for enabling agent balloon notifications, and an exclusions control, allowing the user to add exclusions by file name, file path or directory, as well as importing a CSV of exclusions.
1. Enabling the option
2. Default action on detection - choose 'block' to instantly terminate the detected process and prevent it from running again, unless excluded.
3. Enable balloon notifications - enabling this feature will allow you to see balloon notifications when an encryption is detected.
4. Exclusion list - you can exclude files by name, path or directory.
In the right view, you will see two options: Import and Sample CSV
*You are able to add any domain or CSV file using the Import tool.
*On the Sample CSV the user can find an example of how the CSV file must look:
c:\Test,Directory name.exe,FileName C:\Test\User\test.exe,FilePath
5. Use drive source - enabling this feature will install and use a kernel mini-filter driver, improving the speed of detection.
Pay attention! This option needs a higher memory because the consumption will increase by adding it.