Issue
- Configure additional ESET Remote Administrator (6.3 and later) Antispam policy settings in ESET Mail Security for Microsoft Exchange Server to protect against Filecoder (ransomware) malware
Solution
Using the default Antispam rules, incoming emails are already being filtered on the mail server itself. This ensures that the attachment containing the malicious dropper will not be delivered in the mailbox of the end user and the ransomware is not able to execute. To further help prevent ransomware malware on your Microsoft Exchange server, create the following policy rules in ESET Remote Administrator version 6.3 or later:
- Click Admin → Policies, select the Agent policy being applied to your server(s) (your default parent policy) and then click Policies → Edit.
Alternatively, you can create a new policy in ESET Remote Administrator (6.x).
- Expand Settings and click Server → Rules.
- Under Mail Transport Protection, click Edit next to Rules
4. Click Add to create a rule to quarantine common ransomware droppers.
- Type a name for the new rule, for example “Ransomware droppers”.
- Under the Condition type section, click Add.
- From the Type drop-down menu, select Attachment name and then click Add.
- Click Enter multiple values and then type in the following file names, pressing Return or Enter on your keyboard after each one:
- *.js
- *.hta
- *.doc
- *.docm
- *.xls
- *.xlsm
- *.ppt
- *.pptm
- *.vbs
- *.bat
- *.wsf
- *.7z
- Click OK twice.
- Click Add under the Action type section and select your preferred action. In this example, we have selected Quarantine message.
You can add optional, additional Action types, as follows:
Delete attachment; Quarantine attachment; Replace attachment with action information; Delete message; Send email notification; Evaluate other rules; Log to event.
Click OK. 12.Select the check box next to Dangerous executable file attachments and then click Edit
13. Click the entry under Condition type to select it and then click Edit.
The following executable file attachments are processed—if your network environment requires the use of any of these file formats, you can modify which file formats are blocked. Most businesses may want to deselect the .exe and .msi files formats.ESET Mail Security version 6.2.10012 and earlier
If you are using an earlier version of ESET Mail Security (previous to version 6.3), selecting the "Executable" rule will block all Microsoft Office documents.
- Windows Executable (*.exe, *.dll,* .sys*, *.drv; *.ocx, *.scr)
- MS-DOS Executable (*.exe)
- ELF Executable and Linkable format (for example, Linux) (*.elf)
- Adobe Flash (*.swf)
- Java Class Bytecode (*.class)
- Windows Installer Package (*.msi)
- Apple OS X Universal binary executable
- Apple OS X Mach-O binary executable
- Android executable (*.dex)14 . Click the plus icon to expand Executable files, select the check box next to each file type you want to allow in your system environment (selecting the check box will deselect the item from being deleted by the Action type that you chose in step 10 above) and then click OK twice.
- Click OK twice.
- Click Enter multiple values and then type in the following file names, pressing Return or Enter on your keyboard after each one:
- In the Rules window, click Save.
- If you created a new policy, expand Assign to assign the policy to a group, otherwise, click Finish in the Edit/New Policy – Settings screen.
Your policy settings will be applied to the target groups or client computers once they check in to ESET Remote Administrator.
The following is an example of the "Ransomware dropper" policy filtering a ransomware dropper, along with a corresponding mail quarantine report: