This cannot be done with VSE.
Multiple rules would have to be declared in an attempt to satisfy the same criteria.
Endpoint Security 10.1 is where you would find this is possible.
Okay, I won't worry about it then. Thanks very much for the quick reply.
For what its worth you could minimize the total number of defined rules by using a wildcard for the extension.
*HELP_DECRYPT.TXT --> *HELP_DECRYPT.*
Quite true; thank you for the suggestion. That is what I wound up doing.
*HELP_DECRYPT.TXT, PNG, XLXS, DOCX, PDF, GIF... Who cares? It all sounds pretty suspicious. And if one of my users wants to name a file that way, too bad!
Unless of course it is the CEO. Then...
Be sure you block file creation AND write access. File Creation only doesn't seem to work on 8.8p7. I've blocked these wildcards:
- *.ecc *.encrypted and many others, vvv, abc, ecc, ezz
- *.scr (exceptions: FrameworkService.exe, McShield.exe, rkill.scr, rundll32.exe, Scan*.exe, winlogon.exe)
I'd welcome any other extensions or filename that I've missed.
One thing I am curious about, when ransomware can't drop these recovery instructions files, does it stop encrypting? Or do these files only get dropped after encryption is finished?
One rule I created is to allow the creation of key.dat, but disallow it's deletion . Sadly, newer ransomware uses different filenames or keeps the key in memory, or no longer has those vulnerabilities.
The majority of the time these recovery files are created prior to self-destruction. So - if you are seeing AP blocks triggered for the recovery files, there is a good chance you will be able to pull a sample of the malware from the machine(s) in question. Being able to obtain the .exe(s) is extremely valuable during outbreaks. Typically McAfee will have an extra dat within hours if determined to be a true positive.
One easy process example for such occasions -
1. UNC to node in question
2. "Hunt" for malware (view hidden folders, start with common directories (appdata, downloads))
3. Zip suspect file on the node in question (I use 7 zip - password must be 'infected')
4. Copy to local machine or sandbox
5. Upload to McAfee
6. Receive and deploy Extra DAT (follow-up with support if you dont hear anything within a couple of hours)