Use Cases for Ransomware Protection for Windows
The following explains how using CipherTrust Transparent Encryption with Ransomware Protection can enhance the protection of your data:
Note
Ransomware Protection is applied on a GuardPoint. The GuardPoint is at volume level for Windows, and directory level for Linux.
Protect the File Server with both CipherTrust Transparent Encryption and Ransomware Protection
Use Ransomware Protection to improve data protection by encrypting sensitive data using CTE standard and LDT policies. Combining CTE encryption policies with Ransomware Protection strengthens your security posture. In this scenario, both CipherTrust Transparent Encryption and Ransomware Protection licenses are installed on the same server. All of the customer sensitive data is on this server. Data may be on a local drive, or on a CIFS/NFS share mounted on this server. Users are using a CTE policy to encrypt the data, provide CTE access control and protect the data from Ransomware Attacks. For this use case:
-
Install and register CipherTrust Transparent Encryption with Ransomware Protection.
-
Ensure RW license is available on CM.
-
Apply Ransomware Protection to the File Server volumes/GuardPoints.
-
Ensure the policy is pushed by looking a the CipherTrust Manager GUI and ensuring that the GuardPoints display as Healthy and Green.
Using Ransomware Protection to protect End Points on Local and CIFS Shares (Windows Only)
You can also protect endpoints with CipherTrust Transparent Encryption with Ransomware Protection. In this scenario, customer sensitive data is not on this endpoint but is being accessed using this endpoint. Data may be on an external share or NFS/CIFS share. User will only apply RW license on this end-point. CTE encryption and access control is not enforced on this server. An example of a use case for this scenario is when you have users with laptops who frequently use your network and access servers on it, but do not have any sensitive data locally on their laptops. A system like this might belong to a salesperson who travels and frequently uses other networks to access the internet. When they log on to your network, they access the sales network server and upload data to it. They could easily pick up a Ransomware Protection virus from another network. Using the CipherTrust Transparent Encryption Ransomware Protection solution would protect the data on their local GuardPoints they access from being infected with Ransomware Protection. For this use case:
-
Ensure that RW license is available on CM.
-
Install and register CipherTrust Transparent Encryption with Ransomware Protection.
-
Ensure that the policy is pushed by looking at the CipherTrust Manager GUI and ensuring that the GuardPoints display as Healthy and Green.
Adding Trusted Processes in an Ransomware Protection policy
Users can create a white list of trusted processes, and exclude these processes, files, and directories from Ransomware protection monitoring in any client that supports Ransomware Protection by specifying a Trusted Process Set in the Client Profile on CipherTrust Manager. The Process set now allows for including Signature sets, and Directory path mappings, which contain individual processes, as well as all of the directories to be exempted.
A Trusted Process Set specifies one or more processes specified with their full paths. The path is a concatenation of the directory and file.
-
The Trusted Process Set can also specify a signature set and/or a resource.
-
The process set entry can have a resource without a process path and a signature set.
-
A resource set can have one or more paths.
-
A signature set is associated with one or more process paths.
-
Paths to Policy Elements can have a wild-card (asterisk) in the middle or at the end.
Supported:
c:\Program Files\Microsoft SQL Server*\Binn c:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\ c:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL*NOT Supported:
*.* * * \Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\
Warning
When creating a Trusted process set:
-
You cannot leave the directory path blank. If the directory field does not contain a path, if it only contains a process name, this does not work and is not supported.
-
Ransomware Protection exemptions must include the full directory path for database paths and AV applications
-
Placing a wild card at the beginning of the directory path does not work and is not supported.
-
Do not use
*.*
To display a Trusted Process Set, in the CTE agent CLI, type:
voradmin rwp exempt-processes
To view a Trusted Process Set:
-
In CipherTrust Manager, open the Transparent Encryption application.
-
In the left pane, click Settings > Profiles.
-
Expand RANSOMWARE PROTECTION CONFIGURATION.
-
Click Select to view a Trusted Process set.
-
See Setting Ransomware Protection Configuration in CipherTrust Manager for more information.
Best Practices for Adding Trusted Processes in the Ransomware Protection policy
-
Provide an entry for each process to be exempted in the process set.
-
Remove any double slashes in the path (Best practice is to browse to the path on CipherTrust Manager).
-
Provide a resource set only if you are sure that the processes will not access anything outside of the paths in the resource set; otherwise leave it unspecified.
-
If providing a signature set, make sure that each process file name is included in the signature set.
-
A signature set applies only on a process executable, not on a resource. A resource is often a directory to be exempted
-
You must specify the action taken on all other processes that attempt to access the sensitive data.
-
Always add your anti-virus software to your exemption list (process set). Ransomware Protection intermittently flags anti-virus software as ransomware and blocks it.
-
DO NOT add
explorer.exeorsvchost.exeto the exception list. -
Thales recommends exempting database processes from RWP protection.
-
If you use a TDE (Transparent Encryption software) other than CTE for any database encryption, then you must add the application to the exemption list (process set). On initial encryption, SQL Server, for example, reads in all of the clear data and writes it back out as encrypted data, during Transparent Data Encryption (TDE). As such, it exhibits ransomware-like behavior and therefore, must be added to the CipherTrust Transparent Encryption Ransomware Protection exempted process list.
-
Add a resource set if the process set is used as the Trusted Process Set in the Setting Ransomware Protection Configuration.
Understanding Ransomware Protection Reports
In CipherTrust Manager on the Clients page, when the Client Status displays Warning, it displays a warning message above the table and the GuardPoint status displays as Active. If you click on the GuardPoint status, it displays the reason for the warning message on the GuardPoint Health Page. For example:
New voradmin commands have been added to display the detailed fields:
voradmin rwp detection-status get|{clear [<id>]}
Ransomware status: Get
Lists the details of the ransomware activity.
Syntax
voradmin rwp detection-status get
Response
id: 1
event: ransomwareDetected
process: D:\rwtestToolExe\rwtest_tool.exe
guardPath: D:
lastFile: RWTESTTOOLEXE\D10\RWTEST_0.TXT
Ransomware status: Clear
Clears the details of specific ransomware activity.
Syntax
voradmin rwp detection-status clear [<id>]
Example
voradmin rwp detection-status clear 1
Clears all entries.
Syntax
voradmin rwp detection-status clear
Note
Entries stop displaying as a warning message on CipherTrust Manager when all warnings are cleared with voradmin rwp detection-status clear [id].
Warning
Do not run this command until the administrator has taken corrective action on CTE, such as removing the suspect process, or adding it into the exemption list if it is a false positive.
