[KB6102] Configure ESET Mail Security to protect against ransomware

Issue

Click an image to open the ESET Knowledgebase article for anti-ransomware best practices and additional product configurations:

Details


Click to expand
 

Using the default Antispam rules, incoming emails are already being filtered on the mail server itself. This ensures that the attachment containing the malicious dropper will not be delivered to the mailbox of the end-user, and the ransomware is not able to execute.

To further help prevent ransomware malware on your Microsoft Exchange server, create the following rules in the latest ESET Mail Security for Microsoft Exchange Server, or create and apply an ESET PROTECT Policy.


Solution

Do not adjust settings on production systems

The following settings are additional configurations, and the specific settings needed for your security environment may vary. We recommend that you test the settings for each implementation in a test environment before using them in a production environment.

Manually create an ESET PROTECT Policy/configure the settings in ESET Mail Security for Microsoft Exchange Server

  1. Open the ESET PROTECT or ESET PROTECT On-Prem. In the Quick Links drop-down menu, click Create New Policy.

ESET Mail Security for Microsoft Exchange Server users:

Open the main program window of your ESET Windows product, press the F5 key to access Advanced setup and proceed to Step 3.

  1. Click Settings and in the Select product drop-down menu, select ESET Mail Security for Microsoft Exchange Server (V6+).
Figure 1-1
Click the image to view larger in the new window
  1. Click Server → Rules. Under Mail Transport Protection, click Edit next to Rules.
Figure 1-2
Click the image to view larger in the new window
  1. Click Add to create a rule to quarantine common ransomware droppers.
Figure 1-3
  1. Type Ransomware droppers into the Name field. Under the Condition type section, click Add.
Figure 1-4
  1. From the Type drop-down menu, select Attachment name and click Add.
Figure 1-5
  1. Click Enter multiple values.
Figure 1-6
  1. Type the following file names, pressing Return or Enter after each one and click OK → OK.

    • *.js
    • *.hta
    • *.doc
    • *.docm
    • *.xls
    • *.xlsm
    • *.ppt
    • *.pptm
    • *.vbs
    • *.bat
    • *.wsf
    • *.7z
    • *.zip
    • *.rar
Figure 1-7
  1. Click Add under Action type, and in the Type drop-down menu, select your preferred action. In this example, we have selected Quarantine message. Click OKOK.
Figure 1-8
Add additional Action types
Optionally, you can add additional Action types, as follows:
  • Delete attachment
  • Quarantine attachment
  • Replace attachment with action information
  • Delete message
  • Send email notification
  • Evaluate other rules
  • Log to event
  1. Select the check box next to Dangerous executable file attachments and click Edit.
Figure 1-9
  1. Select the entry under Condition type and click Edit.
Figure 1-10
  1. Click the plus icon  to expand Executable files, select the check box next to each file type you want to allow in your system environment (selecting the check box will deselect the item from being deleted by the Action type that you chose in step 10 above) and then click OK OK.

The following executable file attachments are processed. If your network environment requires the use of any of these file formats, you can modify which file formats are blocked. Most businesses may want to deselect the .exe and .msi file formats.

    • Windows Executable (*.exe, *.dll,* .sys*, *.drv; *.ocx, *.scr)
    • MS-DOS Executable (*.exe)
    • ELF Executable and Linkable format (for example, Linux) (*.elf)
    • Adobe Flash (*.swf)
    • Java Class Bytecode (*.class)
    • Windows Installer Package (*.msi)
    • Apple OS X Universal binary executable
    • Apple OS X Mach-O binary executable
    • Android executable (*.dex)
Figure 1-11
  1. In the Rules window, click Save. Expand Assign to assign the policy to a client or group; otherwise, click Finish in the New Policy – Settings screen. If assigned, your policy settings will be applied to the target groups or client computers when they check in to ESET PROTECT or ESET PROTECT On-Prem.

ESET Mail Security for Microsoft Exchange Server users:

If you are using ESET Mail Security for Microsoft Exchange Server without remote management, click OK OK.


Download and import the ESET PROTECT Policy

The ESET PROTECT Policy for ESET Mail Security for Microsoft Exchange Server with additional Antispam settings to protect against ransomware malware (file coder) can be downloaded and imported from the link below.

The ESET PROTECT Policy is available only for the latest version of ESET products. Compatibility with earlier versions cannot be guaranteed.

  1. Download the Additional Ransomware Protection ESET PROTECT Policy.

  2. Open the ESET PROTECT or ESET PROTECT On-Prem. In the main menu.

  3. Click Policies   Actions Import.
Figure 2-1
Click the image to view larger in the new window
  1. Click Choose file to upload, select the downloaded policy, and click Import.
Figure 2-2
  1. Assign the policy to a client or assign the policy to a group. Policy settings will be applied to the target groups or client computers when they check in to ESET PROTECT or ESET PROTECT On-Prem.


Ransomware dropper filtering example

The following is an example of the Ransomware dropper policy filtering a ransomware dropper, along with a corresponding mail quarantine report:

Figure 3-1
Figure 3-2