Albeit I am from the 'Consumer Side' of the Equation, perhaps this thread can shed some light on the matter?
All the Best,
Thank you for your quick response. But i already how to create Access-Protection-Rules to "fight" against Locky :-)
In other words: Does the Threat Intelligence Exchange Server detects new Locky or Ransomware-Executables dropped from a Excel or Word-Macro?
If yes, will the newly detected executables sent to ATD? Any expiriance?
While I can appreciate your question, I have not the 'Expertize' to faithfully answer your question. Hopefully someone from the 'Corporate ' side will pick up this thread and assist you. During the interim, I will contact a ( Moderator) whom has in-depth knowledge in order to reply to your question.
All the very best,
Please be informed that I have contacted the 'Corporate/Enterprise' Moderator. Given the fact of his Geographical location, will determine how quickly he responds.
As I understand, TIE for VSE should pick up the dropped executables and process them. It will not, at this time, collect the Office documents.
In my experience, ATD does not reliably detect Locky unless it already has a DAT file loaded that detects it. The samples of Locky I've seen have been VM-aware and not executed inside ATD. I sent a couple of these Locky false negatives to McAfee Support about a month ago for analysis.
i tested ATD and the Ransomware Locky
When uploading the infector (the office document) i saw this two results.
1) when uploading normally the file is not detected. From my point of view it depends if the macros are getting started automatically or not.
2) When using the xmode on ATD any file was detected as malware.
BUT, at the moment, the TIE Module for VSE does only support executable code. Therefore, if the office document ist detected as malware by ATD the file is not blocked/deleted by VSE. :-|
Sorry for the Delay.
Im not a direct user of ATD, so Troja would be better placed to respond to 'actual' behaviour.
From what I remember, executable code will be dropped into ATD to execute to detect what, if any payload would be executed, and the Dynamic code analysis would detect if any payload was triggered. But if the payload was VM-aware as tkinkead alluded to, the Static Code Analysis should decompile the code and identify if sections of the binary code 'look' like a know family.
The supported file types with default, minimum and maximum file sizes are identified in KB79333, maybe the files you are referring to do not meets the file size requirements for analysis?
Not sure if this helps?
Certified McAfee Product Specialist - ePO
McAfee Volunteer Moderator
Thank you Rich
OK, I probably have to rely on TIE Reputations and the atd funtionality.