Endpoint Standard: How To Enable Enhanced Ransomware Protection
Endpoint Standard (was CB Defense): All Versions
Carbon Black Cloud Sensor: 3.0 and above
Microsoft Windows: All Supported Versions
Apple MacOS: All Supported Versions
How to enable create Ransomware Prevention Policy Rules for sensors versions 3.0.x and above.
In order to enable ransomware prevention, Standard or Aggressive ransomware policies must be defined. Enhanced ransomware prevention rules can be enabled based on reputation or application path. The operation, Performs ransomware-like behavior must be selected.
Standard Ransomware Policies
To reduce the risk of ransomware with minimal false positive risk, add the following Blocking and Isolation policy rules
Log into the Carbon Black Cloud Console
Go to Enforce > Policies
Scroll down to the Blocking and Isolation section
Select Edit (pencil icon) for PROCESS "Not listed application"
NOTE: Powershell and Python are popular targets for Windows and Mac systems, but any command interpreter that can receive code as part of its command line is a potential source of malicious activity.
Aggressive Ransomware Policy
The most secure ransomware policy is to add a default deny posture that prevents all applications except for those that are specifically approved from performing ransomware-like behavior. See steps below
NOTE: The advantage of the default deny policy is protection from ransomware behaviors that originate from compromised applications with a higher reputation (such as TRUSTED_WHITE_LIST) without enumerating all possible applications.
Enhanced Ransomware Detection: In the absence of any ransomware rules present, Carbon Black Cloud (CBC) will default to ransomware detection mode.
In ransomware detection mode, CBC will only Allow and Log ransomware behavior. This means that CBC will flag potential ransomware as a high level Threat on the "Potentially Suspicious Activity" widgit of CBC Dashboard, and there will be no policy enforcement on the endpoint.
When selecting Performs ransomware-like behavior the Deny operation action will be disabled. Simply denying ransomware access to the first file an application tries to encrypt would not prevent it from attempting future encryption operations. For performance and security the only action supported is Terminate process.
The aggressive ransomware policy policy will require tuning to handle false positives generated by applications whose legitimate activity mimics ransomware operations.
Vmware Carbon Black recommends extensively testing default deny policies on a single representative host before the policies are applied to production systems. After false positives have been appropriately addressed, perform a gradual rollout by moving small groups of endpoints into the policy. To address any new false positives that are discovered, leave a few days between each group of endpoints.
VMWare Carbon Black recommends upgrading to 184.108.40.2068 or higher, as it includes security efficacy enhancements that improve ransomware attacks prevention (DSEN-15830).