3 Replies Latest reply on May 3, 2016 6:33 PM by shakira

    HIPS Cryptolocker question

    glange

      Hi, I've followed the steps for combating Cryptolocker with VSE and am doing the same for HIPS IAW the Combating_Ransomware_RevH.pdf document.  One question I have is that signature 3894 is disabled by default and requires enabling.  I know that there will be quite a bit of logging when this signature is enabled.  With signatures 6010 ad 6011 enabled what is the main purpose of enabling 3894?  Thanks very much.

        • 1. Re: HIPS Cryptolocker question
          catdaddy

          Moved to Malware Discussion > Corporate User Assistance > Discussions

           

          Cliff

          Moderator

          • 2. Re: HIPS Cryptolocker question
            Peter M

            Sorry, I moved this back to HIP as you'll get faster answers to those specific questions here.

            ---

            Peter

            Moderator

            • 3. Re: HIPS Cryptolocker question
              shakira

              It looks like they are trying to make a defense in depth strategy here. Different Cryptolocker versions behave differently and this tool cannot block the kind of things that would make such a signature high fidelity. Turning these rules on is more like a chemo therapy approach.


              Depending on your intended level of administration for each rule, turning any of these on in block mode could be a bad time for you. You'll spend a lot of time whitelisting application that these rules would end up blocking. They cast a wide net. If your network is small enough and has a uniform set of systems, this may be a good approach though.

              1 of 1 people found this helpful