Block encryption by exception

  • 5 July 2019
  • 0 replies

Badge +1
I'm fairly new to webroot, but have a long history with McAfee, Bitdefender, Sophos and Kaspersky.

My feature request would be to add a block/monitor/allow permission system, whereby only specific computers, or even processes are allowed to encrypt data on writing to a network file system and by default denying other processes the abilty to write out encrypted files.

After a tech session with a very knowledgeable member of the Webroot team there seems to be a glaring vulnerability in regards to encryption attacks on networks

If a new variant of ransomware that is unknown to Webroot gets on to a network it can be disastrous. If you are in a scenario where a workstation is infected and starts encrypting files, and the user context it's running in has write access to a network resource you could be in a lot of trouble.

It was explained to me how Webroot monitors unknown processes, and using journalling and rollback can rescue your data on the workstation, which is a brilliant feature, but if it hits the network, you are out of luck, there is no rollback option for the data encrypted over the netowrk by the infected endpoint. It was also explained that once Webroot sees this process on one endpoint doing its deeds that it gets uploaded to their threat intelligence network and others are protected. But the risk of being that one person who takes the hit first to me is unacceptable, especially given the ease of availability of RAAS and modern obfuscation techniques.

The official answer given to me about this hole in a Webroot protected network was "that's why you need good backups on your servers" - I will not dispute this, as someone who has lost months of their life pulling people back from the brink after such attacks, good backups are essential. User education was also mentioned, and is also important, but i find (to amend a line from Jurassic park), idiocy finds a way, making things more idiot proof just in fact builds more capable idiots who can stumble through all the training and automated warnings you place in front of them like an internet connected Mr Magoo, (thats unfair, scammers just up their game, make their phisihng emails look more believeable, make the fake payment requests look more realistic e.g. $5K instead of $500K). But i'd still prefer a mechanism to block encryption that they can't control.

I was told that Encryption is a fairly common task. What doesn't sit right with me, it's that the behaviour is extremely abnormal for a user, why would someone set off a bulk task to encrypt files on a network share? There's your watch point, after 30+ years looking after SME's I have never seen a user intentionally do this. Thats a behavioural pattern that can be monitored, blocked and alerted about simply.

Modern CPU's contain encryption hardware which makes an infected workstation on a gigabit network a devastating tool that webroot is not protecting us from, at worst (not a webroot site) i have seen a network share with 20TB spread over 5 million + files that got encrypted in minutes from a workstation with a low end corei5 processor.

I would rather have to go through an hour or a day or even a week of whitelisting applications and recieving phone calls to allow other apps in the future, than go sleepless knowing that webroot has no protection from someone running that interesting file from a webmail attachement or USB stick, the fact that i could lose clients or severly damage their business as the business critical information is getting hit is not made any better by the fact that we were able to roll back and recover Janet's cat pictures on the workstation that was the source.

At the moment, for peace of mind i am having to use a free tool from a well known Russian AV vendor beginning with K, as this will sit on the server hosting shares, and this will block the remote machine attempting to encrypt that folder. But i would rather be using software from Webroot.

So, once again, a feature that by default denys end users the ability to encrypt, and to be able to whitelist applications that do need to write encrypted information to network shares.

Other than this one feature, i am really loving this product.

0 replies

Be the first to reply!