Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Ransomware Protection

Using Ransomware

search

Please Note:

Using Ransomware

The following explains how using CipherTrust Transparent Encryption with Ransomware Protection can enhance the protection of your data:

Note

Ransomware Protection is applied on a GuardPoint. The GuardPoint is at volume level for Windows, and directory level for Linux.

Protect the File Server with both CipherTrust Transparent Encryption and Ransomware Protection

Use Ransomware Protection to improve data protection by encrypting sensitive data using CTE standard and LDT policies. Combining CTE encryption policies with Ransomware Protection strengthens your security posture. In this scenario, both CipherTrust Transparent Encryption and Ransomware Protection licenses are installed on the same server. All of the customer sensitive data is on this server. Data may be on a local drive, or on a CIFS/NFS share mounted on this server. Users are using a CTE policy to encrypt the data, provide CTE access control and protect the data from Ransomware Attacks. For this use case:

  1. Install and register CipherTrust Transparent Encryption with Ransomware Protection.

  2. Ensure RW license is available on CM.

  3. Apply Ransomware Protection to the File Server volumes/GuardPoints.

  4. Encrypt sensitive data using CTE standard and LDT policies.

  5. Ensure the policy is pushed by looking a the CipherTrust Manager GUI and ensuring that the GuardPoints display as Healthy and Green.

Using Ransomware Protection to protect End Points on Local and CIFS Shares (Windows Only)

You can also protect endpoints with CipherTrust Transparent Encryption with Ransomware Protection. In this scenario, customer sensitive data is not on this endpoint but is being accessed using this endpoint. Data may be on an external share or NFS/CIFS share. User will only apply RW license on this end-point. CTE encryption and access control is not enforced on this server. An example of a use case for this scenario is when you have users with laptops who frequently use your network and access servers on it, but do not have any sensitive data locally on their laptops. A system like this might belong to a salesperson who travels and frequently uses other networks to access the internet. When they log on to your network, they access the sales network server and upload data to it. They could easily pick up a Ransomware Protection virus from another network. Using the CipherTrust Transparent Encryption Ransomware Protection solution would protect the data on their local GuardPoints they access from being infected with Ransomware Protection. For this use case:

  1. Ensure that RW license is available on CM.

  2. Install and register CipherTrust Transparent Encryption with Ransomware Protection.

  3. Apply Ransomware Protection to the File Server volumes.

  4. Ensure that the policy is pushed by looking at the CipherTrust Manager GUI and ensuring that the GuardPoints display as Healthy and Green.

Adding Trusted Processes in the Ransomware Protection policy

Users can create a white list of trusted processes, and exclude these processes, files, and directories from Ransomware protection monitoring in any client that supports Ransomware Protection by specifying a Trusted Process Set in the Client Profile on CipherTrust Manager. The Process set now allows for including Signature sets, and Directory path mappings, which contain individual processes, as well as all of the directories to be exempted.

A Trusted Process Set specifies one or more processes specified with their full paths. The path is a concatenation of the directory and file.

  • The Trusted Process Set can also specify a signature set and/or a resource.

  • The process set entry can have a resource without a process path and a signature set.

  • A resource can have one or more paths. The path can have wild-card (asterisk) in middle or at the end.

  • A signature set is associated with one or more process paths.

To display a Trusted Process Set, in the CTE agent CLI, type:

    voradmin rwp exempt-processes

To view a Trusted Process Set

  1. In CipherTrust Manager, open the Transparent Encryption application.

  2. In the left pane, click Settings > Profiles.

  3. Expand RANSOMWARE PROTECTION CONFIGURATION.

  4. Click Select to view a Trusted Process set.

  5. See Setting Ransomware Protection Configuration in CipherTrust Manager for more information.

Note

  • Provide an entry for each process to be exempted in the process set.

  • Remove any double slashes in the path (Best practice is to browse to the path on CipherTrust Manager).

  • Do not use ., use only single star as a wildcard.

  • Provide a resource set only if you are sure that the processes will not access anything outside of the paths in the resource set; otherwise leave it unspecified.

  • If providing a signature set, make sure that each process path is included in the signature set.

  • You must specify the action taken on all other processes that attempt to access the sensitive data.

  • Always add your anti-virus software to your exemption list (process set). Ransomware Protection intermittently flags anti-virus software as ransomware and blocks it.

  • Thales recommends exempting database processes from RWP protection.

  • If you use a TDE (Transparent Encryption software) other than CTE for any database encryption, then you must add the application to the exemption list (process set). On initial encryption, SQL Server, for example, reads in all of the clear data and writes it back out as encrypted data, during Transparent Data Encryption (TDE). As such, it exhibits ransomware-like behavior and therefore, must be added to the CipherTrust Transparent Encryption Ransomware Protection exempted process list.

  • Add a resource set if the process set is used as the Trusted Process Set in the Setting Ransomware Protection Configuration.

On this page