Our global research labs drive the development of eset's unique technology
In this Tech Brief we describe the optimal settings of our ESET security solutions against the current form of ransomware and the most common infection scenarios. The goal is to protect our customers even better against a ransomware outbreak where valued data can be encrypted and/or held hostage, only to be released after a ransom is paid.
Current ransomware attacks use advanced infection techniques allowing malicious malware to infect your device. They persuad people to execute a so-called dropper which in turn will download the malicious malware payload to start the encryption process. By attaching the dropper to an email, cybercriminals try to prevent detection at entry.
In most cases a properly constituted phishing mail is used with a ZIP file as attachment. This ZIP file most commonly contains a JavaScript file of the type .JS. Because JavaScript is used by numerous websites, it is impossible to block in the browser. Besides that, Windows also executes JavaScript directly.
Meanwhile the JavaScript code in the dropper is heavily obfuscated, defaced and continuously modified in order to prevent detection. This gives us the opportunity to influence the execution of potentially malicious code through standard processes, by using various security modules.
Antispam
Using the right antispam rules, incoming emails are already being filtered on the mail server itself. This ensures that the attachment containing the malicious dropper will not be delivered in the mailbox of the end user and the ransomware is not given the chance to execute.
Download the settings
Hide
Firewall
Should the dropper with malicious code be executed, ESET Endpoint Security still prevents the download of malware due to the integrated Firewall. By applying these firewall rules ESET Endpoint Security will block the download of malicious payloads and deny other scripting access to the Internet.
Download the settings
Hide
Hips Regels
Host-based Intrusion Prevention System (HIPS) defends the system from within and is able to interrupt unauthorized actions from processes before they are being executed. By prohibiting the standard execution of JavaScript and other scripts, ransomware is not given the chance to execute malware, let alone download it. Our HIPS is also part of the ESET File Security for Windows Server, making it applicable to servers. Please note that HIPS will not make a distinction in legitimate scripts starting in production areas.
Download the settings
Hide
Changelog
Open the full changelog• Apply "Enable Botnet protection" in firewall policy
• Apply "Enable ESET LiveGrid® reputation system" in antivirus policy
• Apply "Enable HIPS" in antivirus policy
• Apply "Enable Self-Defense" in antivirus policy
• Apply "Enable Advanced Memory Scanner" in antivirus policy
• Apply "Enable Exploit Blocker" in antivirus policy
Join ESET at Facebook