[KB6102] Configure ESET Mail Security to protect against ransomware (6.x - 8.x)

Issue

Click an image to open the ESET Knowledgebase article for anti-ransomware best practices and additional product configurations:

Details

Using the default Antispam rules, incoming emails are already being filtered on the mail server itself. This ensures that the attachment containing the malicious dropper will not be delivered in the mailbox of the end-user, and the ransomware is not able to execute. To further help prevent ransomware malware on your Microsoft Exchange server, create the following rules in the latest ESET Mail Security for Microsoft Exchange Server, or create and apply an ESET PROTECT Policy.

Solution

Do not adjust settings on production systems

The following settings are additional configurations, and the specific settings needed for your security environment may vary. We recommend that you test the settings for each implementation in a test environment before using them in a production environment.

Manually create an ESET PROTECT Policy/configure the settings in ESET Mail Security for Microsoft Exchange Server

  1. Open the ESET PROTECT or ESET PROTECT Cloud Web Console. In the Quick Links drop-down menu, click Create New Policy....

    If you are using ESET Mail Security for Microsoft Exchange Server without remote management, open the main program window of your ESET Windows product and press the F5 key to access Advanced setup. Proceed to step 3.
     
  2. Click Settings and in the Select product... drop-down menu, select ‪ESET Mail Security for Microsoft Exchange (V6+)‬.
Figure 1-1
Click the image to view larger in the new window
  1. Click Server → Rules. Under Mail Transport Protection, click Edit next to Rules.
Figure 1-2
Click the image to view larger in the new window
  1. Click Add to create a rule to quarantine common ransomware droppers.
Figure 1-3
  1. Type Ransomware droppers into the Name field.

  2. Under the Condition type section, click Add.
Figure 1-4
  1. From the Type drop-down menu, select Attachment name and click Add.
Figure 1-5
  1. Click Enter multiple values and type the following file names, pressing Return or Enter on your keyboard after each one:

    • *.js
    • *.hta
    • *.doc
    • *.docm
    • *.xls
    • *.xlsm
    • *.ppt
    • *.pptm
    • *.vbs
    • *.bat
    • *.wsf
    • *.7z
    • *.zip
    • *.rar
Figure 1-6
Figure 1-7
  1. Click OKOK.
  2. Click Add under Action type, and in the Type drop-down menu, select your preferred action. In this example, we have selected Quarantine message. Click OKOK.

 

You can add optional, additional Action types, as follows:
  • Delete attachment
  • Quarantine attachment
  • Replace attachment with action information
  • Delete message
  • Send email notification
  • Evaluate other rules
  • Log to event
Figure 1-8
  1. Select the check box next to Dangerous executable file attachments and click Edit.

Figure 1-9
  1. Select the entry under Condition type and click Edit.

Figure 1-10
  1. Click the plus icon  to expand Executable files, select the check box next to each file type you want to allow in your system environment (selecting the check box will deselect the item from being deleted by the Action type that you chose in step 10 above) and then click OK OK.

    The following executable file attachments are processed—if your network environment requires the use of any of these file formats, you can modify which file formats are blocked. Most businesses may want to deselect the .exe and .msi file formats.

    • Windows Executable (*.exe, *.dll,* .sys*, *.drv; *.ocx, *.scr)
    • MS-DOS Executable (*.exe)
    • ELF Executable and Linkable format (e.g. Linux) (*.elf)
    • Adobe Flash (*.swf)
    • Java Class Bytecode (*.class)
    • Windows Installer Package (*.msi)
    • Apple OS X Universal binary executable
    • Apple OS X Mach-O binary executable
    • Android executable (*.dex)
Figure 1-11
  1. In the Rules window, click Save. Expand Assign to assign the policy to a client or group; otherwise, click Finish in the New Policy – Settings screen. If assigned, your policy settings will be applied to the target groups or client computers when they check in to ESET PROTECT.

    If you are using ESET Mail Security for Microsoft Exchange Server without remote management, click OK OK.

Download and import the ESET PROTECT Policy

The ESET PROTECT Policy for ESET Mail Security for Microsoft Exchange Server with additional Antispam settings to protect against ransomware malware (file coder) can be downloaded and imported from the link below. The ESET PROTECT Policy is available only for the latest version of ESET products. Compatibility with earlier versions cannot be guaranteed.

  1. Download the Additional Ransomware Protection ESET PROTECT Policy.

  2. Open the ESET PROTECT or ESET PROTECT Cloud Web Console. In the ESET PROTECT Web Console main menu, click Policies.

  3. Click Actions Import....
Figure 2-1
Click the image to view larger in the new window
  1. Click Choose file to upload, select the downloaded policy, and click Import.
Figure 2-2
  1. Assign the policy to a client or assign the policy to a group. Policy settings will be applied to the target groups or client computers when they check in to ESET PROTECT.

Ransomware dropper filtering example

The following is an example of the "Ransomware dropper" policy filtering a ransomware dropper, along with a corresponding mail quarantine report

Figure 3-1

Figure 3-2