How to use Ivanti Endpoint Security for Endpoint Manager (formerly LDSS) to protect against ransomware and encrypting malware

Version 22

    As the events often seen in the news media can attest, malware continues to be a growing threat both in complexity and in the sheer number of malware.   New malware utilizes various attack vectors to compromise your environment.

    Using Ivanti Antivirus or a third party antivirus it is possible to create a multi-layered protective environment against such malware.   In this article will guide you to set up Ivanti Endpoint Security to provide maximum protection against malware.

     

     

    Introduction to Ivanti Endpoint Security for Endpoint Manger protection against Master Boot Record modification

     

    The "Restrict access to physical drives" option allows prevention of malware to modify the master boot record on a client computer.  Without the Master Boot Record (MBR) information the hard drive will not be able to boot into the operating system rendering the system useless.

     

    In addition, some malware can actually install itself onto the host operating system, modify the actual hard drive or SSD firmware, delete itself from the operating system and remain in the Hard Drive or SSD firmware and remain undetected allowing the threat actor to have continual access to anything on your hard drive or SSD.

     

    A virus in HDD firmware is real, what’s next? – Kaspersky Lab official blog

     

    The MBR feature is designed to block the Petya ransomware and should work with similar malware.

     

    The Petya ransomware is one of the malware that attacks the MBR of a computer.   Testing for this new feature included testing against the Petya malware.

    https://securelist.com/blog/research/74609/petya-the-two-in-one-trojan/

     

    In addition, a variant called NotPetya has recently been reported.  This variant also attacks the MBR on the hard drive or SSD of the host system.

    https://securelist.com/schroedingers-petya/78870/

     

    It is extremely important to check the "Restrict access to physical drives" checkbox and to check the 'Protect against crypto-malware" checkbox to be effective against todays viruses

     

    Ivanti Endpoint Security protection against Crypto-ransomware

     

    In addition to Ivanti security suite passive protection against ransomware (learn more https://community.Ivanti.com/docs/DOC-40939) this new feature provides a new layer in detecting and blocking ransomware.  If a ransomware passes all other prevention layers, this new capability will catch it, kill the process, remove it from startup if possible and add it to the blacklist effectively informing all other endpoints about this new ransomware. Other endpoints will prevent this ransomware from running in the first place (as it is in the blacklist).  However, please note, that on the first endpoint the ransomware will run and start encrypting files until the Ivanti security suite agent catches it.

     

    It is important to note that if this new capability is used side by side with the passive protection capability, the ransomware that will run, will not be able to encrypt any document before it is identified and killed. Both this new feature and the passive protection capability complement each other.

    What is Crypto-ransomware? 

    Crypto-malware is a type of malware that encrypts files on a PC or network storage, and then tries to get the user or organization to pay money to recover their encrypted files.  When this happens it is a difficult situation.  The infected PC will not only encrypt local files, but it will attempt to encrypt files across the network.  By provided a several-layer approach by using Ivanti Endpoint Security and Ivanti Antivirus or your existing Antivirus solution you greatly decrease the risk of getting hit by this serious malware.  If you come across a new variation of malware that has not been detected by Ivanti Antivirus, please follow How To: Report Undetected Malware to Ivanti in order to get this added to the virus definition files.  For third party antivirus software this should be submitted to the respective vendor.

     

    Ivanti Partner Kaspersky has the following articles regarding crypto-ransomware and it's recent rise:

    Crypto-ransomware Attacks Rise Five-fold to Hit 718 Thousand Users in One Year | Kaspersky Lab

    KSN Report: PC Ransomware in 2014-2016

     

    In addition, it will automatically blacklist those files that are attempting this operation.  Regardless of mode this information will be sent back to the core server and placed into a learning list.

     

    This way any new clients that attempt to run the malware will block it completely from the start!

     

    See the following FBI article regarding the latest malware capable of encrypting user data: FBI warns public of Cryptowall Ransomware schemes

     

    As this technology is part of the Application Control portion of Ivanti Endpoint Security and uses it in a very basic sense of turning on just these options, or also using the complete options for Application control all the way up to utilizing Whitelisting.

     

    Step by Step instructions for the most secure environment using basic settings

     

    These steps will make the assumption you will be configuring settings to ensure protection against malware in a basic manner.

    If you intend to implement full Ivanti EPS Application control see this document: How to get started with Ivanti Endpoint Security - Application Control

     

    For further descriptions about each item, feel free to select the Help link on the configuration pages.

     

    Configure Endpoint Security setting and Application Control Policy

    Configure protection against physical drive access and protection against crypto-malware

     

    The following steps will set up protection in a general sense and also include blocking access to physical drives by malware, and it will configure EPS to block crypto-malware.

     

    1. Open the Agent Settings tool within the Ivanti Management Suite console.  This is located within the Configuration tool group.
    2. Go to the Security section underneath either Public Agent Settings or All Agent Settings and then to Endpoint Security.
    3. Either create a new Endpoint Security setting or use the existing setting.
    4. In General Settings give the setting a descriptive name and then select the following:

      2016-07-21_8-28-29.jpg
                    Click for full size


    5. You can leave the Digital Signatures tab as it is is you intend to use only basic settings, otherwise, refer to the
    6. Under "Default Policy" select the checkbox next to Application Control and then select "..." to browse to the Application Control settings.
    7. Select the following:

      2016-07-21_9-39-59.jpg
                    Click for full size
      It is extremely important to check the "Restrict access to physical drives" checkbox and to check the 'Protect against crypto-malware" checkbox to be effective against todays viruses
    8. Leave the Mode Configuration page as default.

     


    Create rule to give Microsoft Word rights to open, create, and modify documents

     

    1. Under Agent Settings -> Security -> Endpoint Security -> Application Control
    2. Create a New Policy or Edit an existing one.
    3. On the Application Control Settings window, choose the File Protection Rules tab.
    4. Click the Add button to add a new Protection Rule.
    5. Set the rule to allow windword.exe to modify *.doc and *.doc

      winwordprotect.png

    6. Under Monitored Programs set the program name to Winword.exe
    7. In Protected Files, set file names to .doc and .docx
    8. Ensure all permissions are allowed (un-checked)

     


    Create a file protection rule to deny modification to *.DOC and *.DOCX

     

    DenyDOC-DOCX.png

     

    1. Under Monitored Programs select the radio button All Programs if it is not already selected.
    2. In Protected Files, set the file name to .DOC and .DOCX
    3. Ensure that Creation is NOT checked.

      RulesList.png
    4. Since the file protection module honors rules based on their order, WinWord.exe will be allowed to work with .DOC and .DOCX files, however other programs will not be allowed to modify .DOC and .DOCX files.
    5. Add as many rules are required to protect your other rules.  For example, add another rule to only allow Excel to modify .XLS and .XLSX files followed by a rule that prevents any file from modifying XLS and XLSX files.

     

     

    Utilize Ivanti Firewall to limit communication used by current malware

     

    If you cannot patch a machine immediately, Ivanti Endpoint Security for Endpoint Manager provides another capability that will block the ransomware from remotely leveraging the SMB vulnerability to infect unpatched machines. The Ivanti firewall can be used to block any incoming SMB traffic. Once enabled, the protected machine cannot be used to share files over SMB (i.e., no other machine can connect to the protected machine, using the SMB protocol). However, the protected machine can connect to other machines for file sharing (over SMB).

    To disable the incoming SMB connections, make sure that both checkboxes under the file sharing section in the Ivanti firewall settings are unchecked, as shown here:

    If you currently not using the Ivanti firewall and would like to leverage this protection, you need to add the following connection rules to your Ivanti firewall agent settings. This will make sure the Ivanti firewall is only used to block incoming SMB connections:

    • Name: “Deny incoming connection on port 139”, Direction: Incoming, Action: Drop, Protocol: Both, Apply to these local ports: 139 to 139
    • Name: “Deny incoming connection on port 445”, Direction: Incoming, Action: Drop, Protocol: Both, Apply to these local ports: 445 to 445
    • Name: “Allow any process to connect”, Direction: Outgoing, Action: Accept,  Protocol: Both, Apply to these remote ports: 1 to 65535
    • Name: “Allow any process to listen for connection”, Direction: Incoming, Action: Accept, Protocol: Both, Apply to these local ports: 1 to 65535

     

    I've been infected by malware.  Now what?

    Create a package to install Malwarebytes

     

    1. Download Malwarebytes and save it to your regular packages share.
    2. In the Endpoint Manager Console (Formerly LDMS console) go to the Distribution tool group and select "Distribution Packages"
    3. Right-click "My Packages" and select "New Windows Package" and then select "Executable".
    4. Name your package the desired name and browse to the location where your Malwarebytes executable is and select it.
    5. In the left-hand pane under "Install/Uninstall Options" put in the switch "/verysilent" (without the quotes).

     

    Utilize device isolation to isolate and repair a device

     

    The device isolation feature is a relatively new feature within the Ivanti Endpoint Manager.   This feature allows to isolate a computer so that it cannot receive or transmit normal network traffic but will still be able to be managed by the Ivanti Endpoint Manager (Formerly LDMS) product.

     

    1. Right-click a computer and within the menu popup select "Isolate from network"
      Isolatedropdown.gif
    2. Select the package you created earlier.

      This will install Malwarebytes.   After installation you can remote control the computer even though it is isolated from the network and resolve the virus issues.

    3. After you are done you will select "Recover from isolated network" after right-clicking on the device.

      At this point the computer will be returned to normal operation.