This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Block Ransomware

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block Ransomware

Go to solution
pauloraponi
L1 Bithead

‎05-08-2017 01:47 PM

Hello Guys,

 

Based on your experience, what would be the best policy for detect/blocking Ransomware? Can you give some examples? I'm using version 4.0

 

 

Regards,

Paulo R.

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
acc6d0b3610eec313831f7900fdbd235
L4 Transporter

‎05-11-2017 06:32 PM - edited ‎07-07-2017 11:08 AM

Prevent malicious DLL loading by utilizing DLL Hijacking Protection EPM Background

 

Some of the recent attacks are using a different attack method – these attacks are loading DLLs (by either using exploits, macros or other scripts) as the delivery method for the malicious code.

Traps can block loading DLLs by certain processes from certain locations on the system, and these methods can be utilized to prevent attacks that use malicious DLL loading.

 

Instructions

 

Create 2 DLL Hijacking Protection rules:

  1. Make sure the following processes are added to the ‘process management’ screen and are defined as ‘protected’.
  2. Protected processes: cscript.exe, wscript.exe, mshta.exe. Load Blacklist: ’*\System\ado*;*\Windows\temp\*;*\Downloads\*;*\Temporary Internet Files\*’
  3. Protected Process: rundll32.exe. Load Blacklist: ‘*\Windows\temp\*;*\Downloads\*;*\Temporary Internet Files\*;*\Appdata\Local\Temp\*’

 

Make sure to change to other attributes (‘No Current Dir Load’, ‘No Remote Load’, ‘No Removable Drive Load’) to off. Changes to ‘Load Exclusions List’ should be made only with help from Palo Alto Networks support.

 

These rules are not a part of Traps 4.0 default policy (under content update 13), since these rules are more prone to creating false events in certain environments. In case these rules are being used, and they are creating false positive events – it is highly recommended to whitelist the folder or DLL being loaded or remove the rule from the associated process

  

I hope it helps.

View solution in original post

2 REPLIES 2

Go to solution
acc6d0b3610eec313831f7900fdbd235
L4 Transporter

‎05-11-2017 06:32 PM - edited ‎07-07-2017 11:08 AM

Prevent malicious DLL loading by utilizing DLL Hijacking Protection EPM Background

 

Some of the recent attacks are using a different attack method – these attacks are loading DLLs (by either using exploits, macros or other scripts) as the delivery method for the malicious code.

Traps can block loading DLLs by certain processes from certain locations on the system, and these methods can be utilized to prevent attacks that use malicious DLL loading.

 

Instructions

 

Create 2 DLL Hijacking Protection rules:

  1. Make sure the following processes are added to the ‘process management’ screen and are defined as ‘protected’.
  2. Protected processes: cscript.exe, wscript.exe, mshta.exe. Load Blacklist: ’*\System\ado*;*\Windows\temp\*;*\Downloads\*;*\Temporary Internet Files\*’
  3. Protected Process: rundll32.exe. Load Blacklist: ‘*\Windows\temp\*;*\Downloads\*;*\Temporary Internet Files\*;*\Appdata\Local\Temp\*’

 

Make sure to change to other attributes (‘No Current Dir Load’, ‘No Remote Load’, ‘No Removable Drive Load’) to off. Changes to ‘Load Exclusions List’ should be made only with help from Palo Alto Networks support.

 

These rules are not a part of Traps 4.0 default policy (under content update 13), since these rules are more prone to creating false events in certain environments. In case these rules are being used, and they are creating false positive events – it is highly recommended to whitelist the folder or DLL being loaded or remove the rule from the associated process

  

I hope it helps.

Go to solution
BruceL
L0 Member
In response to acc6d0b3610eec313831f7900fdbd235

‎05-13-2017 03:07 PM - edited ‎05-13-2017 03:09 PM

NVM...found the answer:

 

traps.PNG

 

 

For the XML rules configs; are these importable into the ESM in current XML format?

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks