cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
haaris
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 4
‎11-29-2017 04:12 AM

Blocking Scarab Ransomware

Hi,

Recently we got the news that Scarab Ransomware from the link https://blogs.forcepoint.com/security-labs/massive-email-campaign-spreads-scarab-ransomware

So we decided to create User-defined rules under access protection policies.There is one registry path

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

uSjBVNE = "%Application Data%\sevnz.exe   which we need to block in VSE policy.I just wanted to know what is the best possible rule we can create for blocking the registry as mentioned in the link to avoid the impact of Scarab Ransomware.

Any answer will be highly appreciated..

0 Kudos
Reply
3 Replies
haaris
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4
‎11-29-2017 09:32 PM

Re: Blocking Scarab Ransomware

Hi everyone,

Plz reply to let me configure the best possible policy for the mentioned ransomware

0 Kudos
Reply
haaris
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4
‎12-05-2017 10:31 AM

Re: Blocking Scarab Ransomware

Can anyone tell how to create rule for the above query

0 Kudos
Reply
mattw2
Level 10
Report Inappropriate Content
Message 4 of 4
‎12-06-2017 01:45 AM

Re: Blocking Scarab Ransomware

I'm not going to advise which actual rules to create... however....

You could do worse than look at McAfee's ransomware guide:

McAfee Corporate KB - Combating Ransomware - Rev J PD25203

It has rules for different ransomware types, which includes application protection rules for blocking certain registry or file/folder creation/executions.

Whilst the link you gave indicates a specific executable name, its worth considering that there are likely to be versions of this that generate the executable with a random name, rather than one specific. This will be something to consider when you create you rules.

If you want specific details for what rules to create for Scarab, I think your best bet would be to log a request with Support.

Regards

Matt W.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC