Advanced variant of Petya update
On June 27, 2017, there were multiple public reports of an ongoing large-scale cyberattack involving an advanced variant of the ransomware named Petya. These attacks are targeting and have affected users in various countries across the globe. For more information, visit Symantec’s Petya ransomware outbreak page.
Windows-based systems
Does SES: CSP protect against the Petya dropper?
The out-of-the-box capability of the Symantec Embedded Security: Critical System Protection (SES: CSP) Windows prevention policies to restrict software installation and executable modification protects your Windows-based systems from the Petya dropper that installs the boot loader. All three levels of the SES: CSP Windows prevention policy strategy—Basic, Hardening, and Whitelisting—prevent the Windows-based systems from the Petya dropper attack.
How does the advanced variant of Petya propagate from one system to another?
Even if the initial Petya dropper may not have been directed towards a protected system, the infection can still spread from one system to another. If two systems are on the same network domain, the primary mechanisms through which the Petya encrypting ransomware may laterally spread from a compromised system A (a system on which protection has not been set up against Petya) to a protected system B (a system on which SES: CSP has been installed) are as follows:
Does SES: CSP protect against the propagation of the advanced variant of Petya through privilege escalation with PSExec and WMI?
By default, the out-of-the-box SES: CSP Windows prevention policies protect against the propagation of the advanced variant of Petya through privilege escalation with PSExec and WMI on Windows-systems.
Does SES: CSP protect against the propagation of the advanced variant of Petya through the Eternal Blue exploit?
Based on the Windows’ architecture (32-bit or 64-bit), SES: CSP protects your systems from propagating the advanced variant of Petya through the Eternal Blue exploit as follows:
What changes are required in a SES: CSP (version 7.1) Windows prevention policy to protect an unpatched 64-bit Windows-based system against the propagation of the advanced variant of Petya through the Eternal Blue exploit?
Perform the following actions in the applied Windows prevention policy (for Basic, Hardening, and Whitelisting Windows prevention policy strategies):
The above changes in the Windows prevention policy for SES: CSP version 7.1 ensures that your Windows-based systems are protected against the advanced variant of Petya that leverage rundll32.exe to execute the malicious DLL after the eternal blue exploit is triggered.
What changes are required in a SES: CSP (versions earlier than 7.1) Windows prevention policy to protect an unpatched 64-bit Windows-based system against the propagation of the advanced variant of Petya through the Eternal Blue exploit?
Perform the following actions in the Windows prevention policy (for Basic, Hardening, and Whitelisting Windows prevention policy strategies):