search cancel

Protecting against ransomware with Symantec Cloud Workload Protection

book

Article ID: 150658

calendar_today

Updated On:

Products

Cloud Workload Protection

Issue/Introduction

 

Resolution

Prevention policies that are shipped with Cloud Workload Protection can block the WannaCry / Petya ransomware from extracting malicious executables and installing a SYSTEM service on the servers that are protected by using Cloud Workload Protection. You can achieve this by editing the out of the box policies. Files on the file system will not be encrypted and there is no dialog presented demanding payment.

Ensure that the following policies are present in the Windows Policy Groups:

  • Windows Global Policy
  • Windows Default Policy
  • Windows OS Policy

 The recommendation is to enable additional policy hardening to the Windows Default Policy. To do this:

  1. Edit the Windows Default Policy.
  2. Under Default Sandbox Additional Settings, enable the checkbox “Disable Software Install”.
  3. Save the policy group and reapply it to the agents.

Additional Considerations
 
For systems that are not using SMB or Windows Network File Sharing capabilities, and especially for externally facing servers, it is a best practice to reduce the network attack surface by configuring  prevention policy rules to block SMB network traffic. This can be easily done by editing the Kernel and Global network rules.

  1. Edit the Windows Default Policy.
  2. Under Kernel Sandbox Network Inbound Rules, expand Sandbox Rules and click ‘Show Rules’.
  3. Add the following Inbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any
  4. Under Kernel Sandbox Network Outbound Rules, expand Sandbox Rules and click ‘Show Rules’.
  5. Add the following Outbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139
    • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445
  6. Save the Windows Default Policy.
  7. Edit the Windows Global Policy.
  8. Under Advanced Settings > Network Controls, expand ‘Inbound Network rules’ and click ‘Show Rules’.
  9. Add the following inbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any, Program Path: *
  10. Expand ‘Outbound Network rules’ and click ‘Show Rules’.
  11. Add the following outbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139, Program Path: *
    • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445, Program Path: *
  12. Save the policy group and reapply it to the agents.

The Windows OS Sandbox contains hardcoded exceptions to Global Rules for usability/stability purposes. In order to ensure that the SMB traffic is blocked in all cases, you must go through Windows OS Sandbox Inbound/Outbound Network rules to ensure that all exceptions are removed. For additional protection to what is delivered out of the box, the execution of all known variants of the WannaCry/Petya ransomware can be blocked by putting the executable hashes in the Global No-run List. To add a hash to the list:

  1. Edit the Windows Global Policy.
  2. Under Advanced Settings > Global Policy Lists, edit the “List of processes that services should not start [global_svc_child_norun_list]”.
  3. Click the Add button to add a parameter list entry.
  4. In the “Entry in parameter list” dialog
    • Enter ‘*’ for the Program Path.
    • For File Hash, click the “…” button on the right-hand side.
    • In the File Hash Editor dialog, click Add.
      • Enter either the MD5 or SHA256 hash of the file.
      • Click Ok on the File Hash Editor dialog window.
      • Click Ok on the Entry in parameter list window.
  5. Add a parameter list entry for each hash value.
  6. Save the policy group and reapply it to the agents.