cancel
Showing results for 
Search instead for 
Did you mean: 

Endpoint Protection and GSM KB

Top Contributors
Sort by:
  As the impact and severity of crypto-ransomware threats and attacks has grown over the past 2½ years, we have published many blogs and articles on how best to defend against these modern day extortionists. We do not believe that our businesses or consumer customers should have to choose between extortion and losing precious, irreplaceable data. We often get asked the leading question: “which endpoint security solution will offer 100% prevention and protection from crypto-ransomware?”   The simple answer is none.   Even the best endpoint security (which we pride ourselves on innovating and striving towards) will only be 100% effective most of the time. At other times the cybercriminals will have found ways to circumvent endpoint security defenses and their attack will likely succeed. Each day many ransomware campaign operators create a new variant which is re-packed making it once again undetected for all of antivirus.   Use Reputable, Proven, Multi-Vector Endpoint Security Back-up your data User Education Disable Execution of Script Files Patch and Keep Software Up to Date Secure Weak Username/Passwords which have Remote Desktop Access
View full article
  Cybercriminals scan the internet daily for systems with commonly used RDP ports and bruteforce with weak usernames/passwords and attempt to gain access. Once access has been gained, they can deploy variants of ransomware, create user accounts, and download other unwanted malicious software. Here’s some tips you can use to help secure RDP and prevent this type of attack.     Preventing scanning for an open port:   Restrict RDP to a whitelisted IP  Require two-factor authentication, i.e. smartcards Use protection software to prevent RDP bruteforce Create a GPO to enforce strong password requirements: https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx Change the default RDP port from 3389 to another unused port Change default RDP port from 3389 to another unused port        To change the default port, execute the following in an elevated command prompt –         REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal                  Server\WinStations\RDP-Tcp" /t REG_DWORD /v PortNumber /d XXXX /f         The parameter “XXXX” is the port number you would like to move RDP to. It is  recommended to choose a random port number that is not in use and outside of the 33XX port range. Block RDP (port 3389) via firewall Restrict RDP to a whitelisted IP range  It is also important to monitor possible intrusions with Windows Event Viewer. This will show you what cybercriminals may be doing to try and get in, and help you adjust and use different security measures in your environment. Here’s an example to filter event logs for the event ID “4625” (An account failed to log on).  
View full article
  Ransomware such as: CryptMic, CryptXXX, Cerber, and Locky can be distributed via exploit kits, which target the software vulnerabilities of Adobe Flash Player, Oracle Java, Internet Explorer, Microsoft Silverlight and other vulnerable applications. If this software is exploited, an exploit kit landing page can execute arbitrary code and initiate a silent drive by download. It is critical for system administrators to keep this type of software up to date as most infections dropped by Exploit Kits are known as "zero days" (malware which is fully undetected by all antivirus). If outdated software must be present in your environment, we recommend you download and install Microsoft's EMET to mitigate attacks.   Download EMET
View full article
  Webroot has for years found many highly prevalent ransomware variants delivered through email attachments. These attachments are often a zip archive that contain a script, which serves the purpose of downloading/executing a ransomware/malware payload. Webroot recommends preventing the execution of script file types to avoid this type of attack.   Example Spam Email:   In order to prevent these types of documents and scripts from running we recommend choosing the most appropriate solution for your environment below.   Step 1: Block WSF, VBS, WSH, HTA, VBS and JS files:   There are three options to prevent script files from running on a system. Option 1: REDIRECT SCRIPT FILE EXTENSIONS VIA GPO To enable this policy setting, access the system set up for policy control and navigate to the following setting: User Configuration   -   Preferences   -   Control Panel   -   Settings   Right-click on   Folder Options   and navigate to   New   >   Open With   . Type in the each unwanted extension, i.e.   wsf, js, vbs  into the "File extension" box, then input the path of a program you want to have as default to open the file. Tick   Set as default   and press   OK.   Example of redirecting the extension   .wsf, .js, and   .vbs to notepad: We recommend redirecting the file types:   .hta, .jse, .js, .vbs, .vbe, .wsf, .wsh, and .ps1 .   If a system administrator needs to run a   WSF, VBS,  JS,  or any other script file, this can still be achieved by starting the WScript program with the script file as an argument. For example: : C:\Windows\System32\WSCRIPT.exe C:\example.vbs    Option 2 : REDIRECT SCRIPT FILE EXTENSIONS VIA WEBROOT CONSOLE    If there is not a policy controller available, as an alternative, you can redirect file extensions with the utility below.   1. Sign into the Webroot Enterprise Console and click   Group Management. 2. Select the hostnames which you would like to have this applied to, and then navigate to   Agent Commands   >   Advanced   >   Download and execute a file. 3. Input the following link into the URL field:                    https://download.webroot.com/NoScrypts.exe   For the   Command Line Options   field, the following commands can be used:   -disable  - This command will redirect the default action for the following file types: .hta, .jse, .js, .vbs, .vbe, .wsf, .wsh, to instead show a message box like so:     To apply this from the Webroot Endpoint Console, refer to the screenshot below:   -disable “Custom Message” – This command will allow you to redirect the default action for the same file types, however it also allows you to specify the message you would like the user to see. Where “”Custom Message”” is the message you would like to display to a user that opens a script file. Quotes are required around this text. Optionally you may include %1 in your custom message. This will show the file that was blocked like so:     To apply this from the Webroot Endpoint Console, refer to the screenshot below:   -enable - This command restores the default execution program for the file types mentioned above.   To apply this from the Webroot Endpoint Console, refer to the screenshot below:   4. Click “Download and Execute” to send the command to the system. Note: You may view the status of sent commands by choosing the “View commands for selected endpoints” option in the “Agent Commands” menu. Depending on poll interval, it may take up to 24 hours for the endpoint(s) to receive this command. You may force a poll check or configuration update to receive this command immediately by locating the Webroot icon in the system tray, right clicking it, and selecting “Refresh Configuration”. 5. Ensure script files are blocked by attempting to open a file with a blocked file type.   Option 3: DISABLE WSCRIPT HOST WScript Host   (C:\Windows\System32\WSCRIPT.exe)   is  application within Windows that interprets   .vbs, .vbe, .js, .jse, .wsf   and other types of script files. When a script is run, it will execute the script through this program. Because of this, you may want to disable WScript Host entirely. To do so, use one of the following procedures.   From the Webroot Console:   1. Sign into the Webroot Enterprise Console and click Group Management. 2. Select the hostnames that you would like to have this applied to, and then navigate to Agent Commands > Advanced > Download, and execute a file. 3. Enter the following link into the URL field:                         https://download.webroot.com/DisableWSCRYPT.exe       4. For the Command Line Options field, the following commands can be used:    -disable -   This command will disable WScript and disallow execution of script files.   -enable -   This command will enable WScript and allow execution of script files.   5. Click “Download and Execute” to send the command to the system. Note: You may view the status of sent commands by choosing the “View commands for selected endpoints” option in the “Agent Commands” menu. Depending on poll interval, it may take up to 24 hours for the endpoint(s) to receive this command. You may force a poll check or configuration update to receive this command immediately by locating the Webroot icon in the system tray, right clicking it, and selecting “Refresh Configuration”. 6. Ensure WScript is blocked by opening a command prompt, typing “WScript”, and pressing enter. You should be presented with the following message:     Manually - 64 BIT: To disable Windows Script Host, execute the following in an elevated command prompt: REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 0 /f /reg:32 REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 0 /f /reg:64 To re-enable Windows Script Host, execute the following: REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f /reg:32 REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f /reg:64 Manually - 32 BIT: To disable Windows Script Host, execute the following in an elevated command prompt: REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 0 /f To re-enable Windows Script Host, execute the following: REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f   Step 2: Disable Macro execution.   Office Macros can be beneficial to some work environments, however in most cases they are not necessary to have enabled and are only a security risk. Some ransomware utilize macro scripts within documents as a channel for payload delivery.   Macro example:   To enable this policy setting, Run gpedit.msc and navigate to the following setting: User configuration   >   Administrative templates   >   Microsoft Word 2016   >   Word options   >   Security   >   Trust Center. Double-click on   Block macros from running in Office files from the Internet setting and Enable   it.     Office 2013 :  https://technet.microsoft.com/en-us/library/ee857085.aspx Note : If there is not a policy controller available, as an alternative you can disable macros without notification manually:     Step 3: Prevent Users from running Powershell via GPO.   To enable this policy setting, Run gpedit.msc and navigate to the following setting: User configuration   >   Administrative templates   >   System     1. Double-click on  Don't run specified Windows applications .   2. Click the radio button Enabled to enable the policy. 3. Click the Show button next to List of disallowed applications and add powershell.exe to the list and click OK.      
View full article
The “human firewall” – your users – are often the weakest security link. A lot of lip service is paid to User Security Education, and with the advent of online self-paced courses there is no excuse not to look at using those tools to help educate your users of the risks they face in the office and from using the Internet at home. If a user receives an invoice, receipt, or any other form of attachment from someone they are unfamiliar with, chances are it’s bad. For word document emails, it is also advised to warn users to avoid clicking “enable content” for emails from unfamiliar sources. 
View full article
  If you have failed to stop ransomware from successfully encrypting your data, then the next best protection is being able to restore your data and minimize business downtime. Bear in mind when you are setting up your backup strategy that crypto-ransomware like CryptoLocker will also encrypt files on drives that are mapped, and some modern variants will look for unmapped drives too. Crypto-ransomware will look for external drives such as USB thumb drives, as well as any network or cloud file stores that you have assigned a drive letter to. You need to set up a regular backup regimen that at a minimum backs up data to an external drive, or backup service, that is completely disconnected when it is not performing the backup. The recommended best practice is that your data and systems are backed up in at least three different places.   Your main storage area (file server) Local disk backup Mirrors in a cloud business continuity service   In the event of a ransomware disaster, this set-up will give you the ability to mitigate any takeover of your data and almost immediately regain the full functionality of your critical IT systems.
View full article
  When it comes to endpoint security, there are many choices out there. While published detection tests help when it comes to crypto-ransomware, most detection testing is flawed – with many programs achieving 100% detection results that can’t be reproduced in the real world. Webroot has built a strong reputation for stopping crypto-ransomware. Our goal, first and foremost, is to be 100% effective. Webroot was the first antivirus and antimalware vendor to move completely away from the standard, signature-based file detection method. By harnessing the power of cloud computing, Webroot replaced traditional, reactive antivirus with proactive, real-time endpoint monitoring and threat intelligence, defending each endpoint individually, while gathering, analyzing, and propagating threat data collectively.This predictive infection prevention model enables Webroot solutions to accurately categorize existing, modified, and new executable files and processes, at the point of execution, to determine their status. Using this approach, Webroot rapidly identifies and blocks many more infections than signature-based approaches, and we are highly proficient at detecting and stopping crypto-ransomware. Of course, you need protection that covers multiple threat vectors. For instance, real-time anti-phishing to stop email links to phishing sites, web browser protection to stop browser threats, and web reputation to block risky sites that might only occasionally be unsafe. Over the past four years, the Webroot approach to infection prevention has continuously proven its efficacy at stopping crypto-malware in real time by addressing threats the moment they attempt to infect a device, stopping the encryption process before it starts. Regardless of which endpoint security solution you choose, it’s essential it offers multi-dimensional protection and prevention against malware to ensure it quickly recognizes external threats and any suspicious behaviors. A next-generation endpoint security solution with protection beyond file-based threats is essential.
View full article
  What is CryptoLocker? CryptoLocker is most often spread through booby-trapped email attachments and uses military grade encryption. The malware can also be deployed by hacked and malicious web sites by exploiting outdated br owser plugins.    Webroot's Threat Brief on CryptoLocker   Can Webroot Protect Customers Against It?   Encrypting ransomware (Cryptolocker, CTB Locker, Crtroni, Cryptowall, ect.) is a very difficult infection to remediate because it uses the RSA public-key encryption algorithm to encrypt user files using unique encryption keys for each computer. Once a user’s files are encrypted this way, it is next to impossible to decrypt them without access to the private key that is stored on the remote servers in use by the malware author(s). There are no tools currently that are capable of decrypting these files without the private key. As long as SecureAnywhere is installed prior to infection, All encrypting ransomware should be detected and removed before it is allowed to make any changes on the computer. Threat Research has many rules in place already to detect the known variants of Cryptolocker at or before execution, but it is important to remember that malware is constantly changing and we cannot guarantee that we will initially detect all new variants.   For best practices on securing your environment from encrypting ransomware please see our community post: https://community.webroot.com/t5/Webroot-Education/Best-practices-for-securing-your-environment-against/ta-p/191172       Read more about CryptoLocker in these posts on the Webroot Community: Additional Conversations About CryptoLocker   CryptoLocker malware targeting the UK - comment from Webroot    NCA warns UK of mass CryptoLocker ransomware attacks - comment from Webroot
View full article