cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ROBM Ransomware

Jump to solution

I need for help, my organisation was hit by this ransomware,

why McAfee ENS 10.7 did not detect this executable?

Thanks for the replies..!!

1 Solution

Accepted Solutions

Re: ROBM Ransomware

Jump to solution

Is Real Protect static and cloud enabled?  Have you verified Cloud is working?  Do you have DAC set to contain at unknown and block writing and deleting to file types commonly associated with ransomware?  If everything else fails, this last one should catch it every time for PE-based ransomware.  

View solution in original post

6 Replies

Re: ROBM Ransomware

Jump to solution

Is Real Protect static and cloud enabled?  Have you verified Cloud is working?  Do you have DAC set to contain at unknown and block writing and deleting to file types commonly associated with ransomware?  If everything else fails, this last one should catch it every time for PE-based ransomware.  

Re: ROBM Ransomware

Jump to solution

Thanks, Dave, yes, I have Real Protect static and cloud enabled. 

However my settings make it trigger, the DAC, when reputation threshold reaches "Most likely malicious" . . Because otherwise I would have too many false positives..!

And I suppose my PE-based ransomware is 'Unknown'...

 

Re: ROBM Ransomware

Jump to solution

You might consider trying to do Cert exclusions, to see if you can get the FPs down.  If you have a TIE server, that should help a lot.  With the latest ENS release you can also just alert on DAC events without blocking, so that might help if you can alert when cert rules trigger and the DaysBeforeDetection=0, meaning it is a process new to your environment.  

Re: ROBM Ransomware

Jump to solution

Sorry Dave, I don't understand "to see if you can get the FPs down"..

Why "Cert esclusions"? And why "when cert rules trigger"?

Still non clear to me why Real Protect didn't detect this ransomware behavior..

 

Many thanks..

Re: ROBM Ransomware

Jump to solution

I mean in the DAC policy, you can exclude certain certifications from triggering rules, so you can easily then get your needed exclusions in place.

Every ransomware family is going to act a bit differently, so there is probably just something about the code and behavior that stopped it from triggering.  it happens, which is why I go by behavioral rules as a final line of defense... and ATD.  Also check your JTI rules, as there are some that would certain help mitigate these risks.

Dave

Re: ROBM Ransomware

Jump to solution

Just became aware of this rule and wanted to add that you might look at enabling the rule ASRRANSOM that is documented at https://kc.mcafee.com/agent/index?page=content&id=KB93741

You'd need test with setting OAS to continue scanning on test systems, but that might solve your detection issue with behavioral detection as well.

Dave

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community