In this article, you will learn everything you need to know about the Endpoint Detection - Ransomware Encryption Protection module. REP has the purpose of detecting processes that encrypt files on the endpoint with malicious intent.
1. How does Ransomware Encryption Protection work?
3. HEIMDAL Agent - Ransomware Encryption Protection
4. Endpoint Detection - Ransomware Encryption Protection view
5. Endpoint Detection - Ransomware Encryption Protection settings
Ransomware Encryption Protection is a revolutionary 100% signature-free solution that protects your devices against malicious encryption attempts initiated during ransomware attacks. Ransomware Encryption Protection extends the functionality of the traditional antivirus, becoming a solution capable of preventing and protecting your endpoints against any type of ransomware attack.
HOW DOES RANSOMWARE ENCRYPTION PROTECTION WORK?
The REP module is processing kernel events for I/O reads, writes, directory enumeration, and file execution. Patterns are being matched against the collected events after studying the same patterns that are being created by actual ransomware. The engine will allow 3 files to get encrypted until it will give the verdict that the process is suspicious. Once flagged, details about the suspicious process are being gathered and sent to the HEIMDAL servers. These details include the process command line arguments, the network connections (IP Address and Port), read/write operation count at the moment of detection, and as well the process tree from the suspicious process with trace-back to the root process. The Ransomware Encryption Protection module is based on the new Windows service called Heimdal Insights. The service is responsible for permanently scanning the active processes and mapping out each process action, as well as searching for encryption patterns in the running processes. The Heimdal Insights service will run only if the module is enabled in the Group Policy. If REP is disabled in the Group Policy, the Heimdal Insights service will be present but will not run.
HEIMDAL AGENT - RANSOMWARE ENCRYPTION PROTECTION
The HEIMDAL Agent has no user interface for this module at this point. However, there is an option in the group policy that will allow the agent to show balloon notifications when a suspicious process event arrives.
ENDPOINT DETECTION - RANSOMWARE ENCRYPTION PROTECTION view
The Endpoint Detection - Ransomware Encryption Protection view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the detected processes intercepted by the HEIMDAL Agent engine. On the top, you see a statistic regarding the number of Detections Found.
The collected information is placed in the following views: Latest Detections view, and Hostname/Detections view.
- Latest Detections view
This view displays a table with the following details: Hostname, Username, Process Name, Blocking Reason, PID, Owner, Status, and Timestamp. This view allows you to select one or multiple infected files and to exclude it/them or add it/them to storage.
In the Process Name column, you can click on the process (or on the Forensics 'F' icon) to see the process details or you can click on the VirusTotal icon to get a detailed VirusTotal analysis.
The Process Details view gives information on the parent process and the spawned processes, their PIDs, username, File Name, Path, Command-Line, Thread Count, top 3 encrypted files, Write Operations, Read Operations, MD5, Signature, and Owner.
You also get information on the Network Activity of the detected process, where you can select one or multiple IP Addresses to block them in the Firewall (on one, multiple, or all Group Policies).
Exclusions can be made by selecting one or more detections and by pressing the Exclude and Apply buttons from the dropdown menu. This will pop up the following modal that allows you to exclude the file(s) on one or multiple Group Policies, or all Group Policies. The detection(s) can be excluded by File Name, Folder Path, File Path or MD5:
- Hostname/Detections view
This view displays a table with the following details: Hostname, Username, and Number of Matches.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Allowed or by Blocked detections.
ENDPOINT DETECTION - RANSOMWARE ENCRYPTION PROTECTION settings
The Ransomware Encryption Protection module detects processes that perform encryption operations on files on the endpoint with malicious intent. The module is processing kernel events for IO reads, writes, directory enumeration, and file execution. Patterns are being matched against the collected events after studying the same patterns that are being created by actual ransomware. The engine will allow 3 files to get encrypted until it will give the verdict that the process is suspicious. Once flagged, details about the suspicious process are being gathered and sent to the Heimdal servers.
Ransomware Encryption Protection - turn ON/OFF the Ransomware Encryption Protection module;
Default action on detection - allows you to set whether to allow or block an intercepted malicious process. Choosing the block action will terminate the intercepted process and prevent it from running again unless the process is excluded;
Agent Baloon Notifications - allows you to turn ON/OFF the Agent balloon notifications when encryption is detected;
Exclusions - allows you to exclude a filename, file path, directory path, or MD5 from being blocked by the REP module.