cancel
Showing results for 
Search instead for 
Did you mean: 
zoki1978
Level 7

Tie/ATD fighting Ransomware/Locky

Jump to solution

Hi!

Does anyone  has experiance with Ransomware/Locky detection with a comination of ATD/TIE/TIE-VSE-Module?

Our customers ask this question very often. I'm pretty sure that a combination of ATD/TIE/TIE-VSE-Module had detected the malware.

But if someone has already experience, I would be very grateful for your Feedback.


0 Kudos
1 Solution

Accepted Solutions
Troja
Level 14

Re: Tie/ATD fighting Ransomware/Locky

Jump to solution

Hi,

i tested ATD and the Ransomware Locky

When uploading the infector (the office document) i saw this two results.

1) when uploading normally the file is not detected. From my point of view it depends if the macros are getting started automatically or not.

2) When using the xmode on ATD any file was detected as malware.

BUT, at the moment, the TIE Module for VSE does only support executable code. Therefore, if the office document ist detected as malware by ATD the file is not blocked/deleted by VSE. :-|

Cheers

0 Kudos
11 Replies
catdaddy
Level 20

Re: Tie/ATD fighting Ransomware/Locky

Jump to solution

Albeit I am from the 'Consumer Side' of the Equation, perhaps this thread can shed some light on the matter?

All the Best,

CD/Catdaddy

Volunteer Moderator

(Consumer Products)

Cliff
McAfee Volunteer
0 Kudos
zoki1978
Level 7

Re: Tie/ATD fighting Ransomware/Locky

Jump to solution
Thank you for your quick response. But i already how to create Access-Protection-Rules to "fight" against Locky :-)

In other words: Does the Threat Intelligence Exchange Server detects new Locky or Ransomware-Executables dropped from a Excel or Word-Macro?

If yes, will the newly detected executables sent to ATD? Any expiriance?

0 Kudos
catdaddy
Level 20

Re: Tie/ATD fighting Ransomware/Locky

Jump to solution

,

                 While I can appreciate your question, I have not the 'Expertize' to faithfully answer your question. Hopefully someone from the 'Corporate ' side will pick up this thread and assist you. During the interim, I will contact a ( Moderator) whom has in-depth knowledge in order to reply to your question.

All the very best,

CD

Cliff
McAfee Volunteer
catdaddy
Level 20

Re: Tie/ATD fighting Ransomware/Locky

Jump to solution

Please be informed that I have contacted the 'Corporate/Enterprise' Moderator. Given the fact of his Geographical location, will determine how quickly he responds.

Regards,

CD

Cliff
McAfee Volunteer
0 Kudos
tkinkead
Level 12

Re: Tie/ATD fighting Ransomware/Locky

Jump to solution

As I understand, TIE for VSE should pick up the dropped executables and process them.  It will not, at this time, collect the Office documents. 

In my experience, ATD does not reliably detect Locky unless it already has a DAT file loaded that detects it.  The samples of Locky I've seen have been VM-aware and not executed inside ATD.  I sent a couple of these Locky false negatives to McAfee Support about a month ago for analysis. 

0 Kudos
Troja
Level 14

Re: Tie/ATD fighting Ransomware/Locky

Jump to solution

Hi,

i tested ATD and the Ransomware Locky

When uploading the infector (the office document) i saw this two results.

1) when uploading normally the file is not detected. From my point of view it depends if the macros are getting started automatically or not.

2) When using the xmode on ATD any file was detected as malware.

BUT, at the moment, the TIE Module for VSE does only support executable code. Therefore, if the office document ist detected as malware by ATD the file is not blocked/deleted by VSE. :-|

Cheers

0 Kudos
amenendp
Level 10

Re: Tie/ATD fighting Ransomware/Locky

Jump to solution

Hi Troja,

Is it possible Locky detects Virtual environment because you don't have the internet conection opened on the virtual machines?

Regards

0 Kudos
Artfulbodger
Level 13

Re: Tie/ATD fighting Ransomware/Locky

Jump to solution

Hi All,

Sorry for the Delay.

Im not a direct user of ATD, so would be better placed to respond to 'actual' behaviour.

From what I remember, executable code will be dropped into ATD to execute to detect what, if any payload would be executed, and the Dynamic code analysis would detect if any payload was triggered. But if the payload was VM-aware as alluded to, the Static Code Analysis should decompile the code and identify if sections of the binary code 'look' like a know family.

The supported file types with default, minimum and maximum file sizes are identified in KB79333, maybe the files you are referring to do not meets the file size requirements for analysis?

Not sure if this helps?

Many Thanks

Regards

Richard Carpenter

Certified McAfee Product Specialist - ePO

McAfee Volunteer Moderator

0 Kudos
catdaddy
Level 20

Re: Tie/ATD fighting Ransomware/Locky

Jump to solution

Thank you Rich

CD

Cliff
McAfee Volunteer
0 Kudos