[KB6102] Configure ESET Mail Security to protect against ransomware (7.3 - 10.x)
Issue
Configure additional antispam settings in ESET Mail Security for Microsoft Exchange Server
Create a policy in ESET PROTECT with additional antispam settings for ESET Mail Security for Microsoft Exchange Server to protect against ransomware malware (file coder)
Click an image to open the ESET Knowledgebase article for anti-ransomware best practices and additional product configurations:
Details
Click to expand
Using the default Antispam rules, incoming emails are already being filtered on the mail server itself. This ensures that the attachment containing the malicious dropper will not be delivered to the mailbox of the end-user, and the ransomware is not able to execute.
To further help prevent ransomware malware on your Microsoft Exchange server, create the following rules in the latest ESET Mail Security for Microsoft Exchange Server, or create and apply an ESET PROTECT Policy.
Solution
Do not adjust settings on production systems
The following settings are additional configurations, and the specific settings needed for your security environment may vary. We recommend that you test the settings for each implementation in a test environment before using them in a production environment.
Manually create an ESET PROTECT Policy/configure the settings in ESET Mail Security for Microsoft Exchange Server
Click Settings and in the Select product drop-down menu, select ESET Mail Security for Microsoft Exchange Server (V6+).
Figure 1-1 Click the image to view larger in the new window
Click Server → Rules. Under Mail Transport Protection, click Edit next to Rules.
Figure 1-2 Click the image to view larger in the new window
Click Add to create a rule to quarantine common ransomware droppers.
Figure 1-3
Type Ransomware droppers into the Name field. Under the Condition type section, click Add.
Figure 1-4
From the Type drop-down menu, select Attachment name and click Add.
Figure 1-5
Click Enter multiple values.
Figure 1-6
Type the following file names, pressing Return or Enter after each one and click OK → OK.
*.js
*.hta
*.doc
*.docm
*.xls
*.xlsm
*.ppt
*.pptm
*.vbs
*.bat
*.wsf
*.7z
*.zip
*.rar
Figure 1-7
Click Add under Action type, and in the Type drop-down menu, select your preferred action. In this example, we have selected Quarantine message. Click OK → OK.
Figure 1-8
Add additional Action types
Optionally, you can add additional Action types, as follows:
Delete attachment
Quarantine attachment
Replace attachment with action information
Delete message
Send email notification
Evaluate other rules
Log to event
Select the check box next to Dangerous executable file attachments and click Edit.
Figure 1-9
Select the entry under Condition type and click Edit.
Figure 1-10
Click the plus icon to expand Executable files, select the check box next to each file type you want to allow in your system environment (selecting the check box will deselect the item from being deleted by the Action type thatyou chose in step 10 above) and then click OK→ OK.
The following executable file attachments are processed. If your network environment requires the use of any of these file formats, you can modify which file formats are blocked. Most businesses may want to deselect the .exe and .msi file formats.
Windows Executable (*.exe, *.dll,* .sys*, *.drv; *.ocx, *.scr)
MS-DOS Executable (*.exe)
ELF Executable and Linkable format (for example, Linux) (*.elf)
Adobe Flash (*.swf)
Java Class Bytecode (*.class)
Windows Installer Package (*.msi)
Apple OS X Universal binary executable
Apple OS X Mach-O binary executable
Android executable (*.dex)
Figure 1-11
In the Rules window, click Save. Expand Assign to assign the policy to a client or group; otherwise, click Finish in the New Policy – Settings screen. If assigned, your policy settings will be applied to the target groups or client computers when they check in to ESET PROTECT.
ESET Mail Security for Microsoft Exchange Server users:
If you are using ESET Mail Security for Microsoft Exchange Server without remote management, click OK→ OK.
Download and import the ESET PROTECT Policy
The ESET PROTECT Policy for ESET Mail Security for Microsoft Exchange Server with additional Antispam settings to protect against ransomware malware (file coder) can be downloaded and imported from the link below.
The ESET PROTECT Policy is available only for the latest version of ESET products. Compatibility with earlier versions cannot be guaranteed.