cancel
Showing results for 
Search instead for 
Did you mean: 
glange
Level 7

HIPS Cryptolocker question

Hi, I've followed the steps for combating Cryptolocker with VSE and am doing the same for HIPS IAW the Combating_Ransomware_RevH.pdf document.  One question I have is that signature 3894 is disabled by default and requires enabling.  I know that there will be quite a bit of logging when this signature is enabled.  With signatures 6010 ad 6011 enabled what is the main purpose of enabling 3894?  Thanks very much.

0 Kudos
3 Replies
catdaddy
Level 20

Re: HIPS Cryptolocker question

Moved to Malware Discussion > Corporate User Assistance > Discussions

Cliff

Moderator

Cliff
McAfee Volunteer
0 Kudos
exbrit
Level 21

Re: HIPS Cryptolocker question

Sorry, I moved this back to HIP as you'll get faster answers to those specific questions here.

---

Peter

Moderator

0 Kudos
shakira
Level 10

Re: HIPS Cryptolocker question

It looks like they are trying to make a defense in depth strategy here. Different Cryptolocker versions behave differently and this tool cannot block the kind of things that would make such a signature high fidelity. Turning these rules on is more like a chemo therapy approach.


Depending on your intended level of administration for each rule, turning any of these on in block mode could be a bad time for you. You'll spend a lot of time whitelisting application that these rules would end up blocking. They cast a wide net. If your network is small enough and has a uniform set of systems, this may be a good approach though.

0 Kudos