Ransomware: Prevention advice for Sophos products
Settings for Sophos products are described in detail here.
Using Sophos technology, you can defend your computer against malicious files and online traffic that is utilized by ransomware.
It is critical to configure your solutions correctly to ensure that they function properly and effectively.
Note: Before making these modifications in a live environment, test them in a test environment to ensure that they are successful.
Sophos Endpoint managed by Sophos Enterprise Console
In the Anti-Virus and HIPS policies of all workstations, file servers, and terminal servers, configure the following settings if you manage Sophos Endpoint Security and Control through the Sophos Enterprise Console.
- On-access scanning is performed when a person enters a building.
- Check files for reading, rename, and write permissions: on
- Scan for adware and potentially unwanted applications: on
- Scan the system’s memory: turned on
- Access to harmful websites is restricted: on
- Scanning for content: As a result of on-access scanning
- Allow file reputation checking to be enabled on Sophos Live Protection: on
- Monitoring of behavior is enabled.
- Detect malicious behavior: on Detect malicious traffic: on Detect malicious behavior
- Detect buffer overflows: this is enabled.
- For a complete list of suggested settings, as well as for instructions on how to enable them, see: Recommended settings for anti-virus and intrusion prevention systems.
Customers who have purchased Server Protection Enterprise and Endpoint Exploit Prevention licenses should configure the following settings on the Exploit Prevention policy to ensure that their servers are protected.
- Enable exploit prevention: on Protect document files from ransomware (CryptoGuard): on Protect from remotely run ransomware (WipeGuard): on Disk and boot record protection (WipeGuard): on Protect critical functions in web browsers (Safe Browsing): on Disk and boot record protection (WipeGuard): on Disk and boot record protection
- (WipeGuard): on Disk and boot record protection (WipeGuard)
- Extending the reach of exploits in vulnerable apps includes the following measures: protecting web browsers; protecting browser plugins; protecting Java applications;
- protecting media applications; and protecting office applications. on Process hollowing attacks should be avoided: on
- Disallow DLLs from loading from untrusted folders: enabled
- Users will be unable to execute JavaScript on their computer if you utilize Application Control, which is an additional feature. The inclusion of JavaScript attachments in spam emails is a typical method of disseminating ransomware. For more information on how to accomplish this, see Prevent harmful JavaScript files by utilizing Application Control.
Sophos Endpoint managed by Sophos Central
For more information, see Sophos Endpoint Defense: How to Enable Enhanced Tamper Protection for more details.
Managing Sophos Endpoints is done through Sophos Central.
For all users if you are using Sophos Central managed Endpoint Protection, be sure to specify the following Threat Protection settings for them:
Live protection: on Enable deep learning: on Real-time scanning for local files and network shares: on Scan downloads in progress: on Scan downloads in progress: on Scan downloads in progress: on Scan downloads in progress: on Scan downloads in progress: on
Protect against malicious websites: on Detect low-reputation files: on Automatically clear up malware: on Detect malicious behavior (HIPS): on For Sophos Intercept X licensed customers: on Detect malicious behavior (HIPS): on
Defend against master boot record ransomware: Defend against critical functions in web browsers (Safe Browsing): Defend against exploits in vulnerable applications: Defend against web browser plugins: Defend against Java applications: Defend against media applications: Defend against office applications: Defend against ransomware: Defend against process hollowing attacks: Defend against DLL loading from untrusted sources: Defend against process hollowing attacks: Defend against ran
Users will be unable to execute JavaScript on their device if you utilize Application Control, which is an additional feature. The inclusion of JavaScript attachments in spam emails is a typical method of disseminating ransomware. For more information on how to accomplish this, see Prevent harmful JavaScript files by utilizing Application Control.
Turning on Enhanced tamper protection on all managed endpoints is highly recommended by Sophos Security.
For more information, see Sophos Endpoint Defense: How to Enable Enhanced Tamper Protection for more details.
The Sophos Server Protection is administered using the Sophos Central administration console.
The following configuration should be used if you are using Sophos Central controlled Server Standard Protection:
- Real-time scanning for local files and network shares is enabled. Live protection is enabled.
- Scan downloads are currently in progress: on
- Access to harmful websites is restricted: on
- Detect files with a poor reputation: on
- Malware is automatically cleaned up when network traffic to command and control servers is detected. Malicious behavior (HIPS) is detected when network traffic to command and control servers is detected. Automatic malware cleaning is performed when network traffic to command and control servers is detected.
- Customers with Intercept X licenses that are managed by Sophos Central can take advantage of the following benefits:
Protect document files from ransomware (CryptoGuard): on Protect from remotely run ransomware: on Protect from master boot record ransomware: on Protect critical functions in web browsers (Safe Browsing): on Protect critical functions in web browsers (Safe Browsing): on Protect critical functions in web browsers (Safe Browsing): on
Mitigate vulnerabilities in vulnerable applications by protecting web browsers, web browser plugins, Java applications, media applications, office applications, and processes. Protect processes by preventing process hollowing attacks, preventing DLLs loading from untrusted folders, preventing credential theft, preventing code cave utilization, preventing APC violation, preventing privilege escalation, and preventing privilege escalation.
Determine the presence of network traffic to command and control servers:
Sophos Security HeartbeatTM should be enabled: on (requires XG Firewall)
Enable all of the Server Protection default features: Sophos strongly advises that all managed servers have Enhanced tamper protection enabled at all times.
For more information, see Sophos Endpoint Defense: How to Enable Enhanced Tamper Protection for more details.
E-mail security using the Sophos Email Appliance
Sophos Server protection managed by Sophos Central
SophosLabs is located under Configuration > Policy > Threat Protection. Suspect Attachments to anybody and everything: on Configuration > Policy > Threat Protection > Add > Rule type > Time-of-Click Protection: on Configuration > Policy > SMTP Options > Delay Queue: on Configuration > Policy > SMTP Options > Delay Queue: on Configuration > Policy > SMTP Options > Delay Queue: on Configuration > Policy > SMTP Options > Delay Queue: on Configuration > Policy > SMTP Options > Delay Queue: on Configuration > Policy >
Keep in mind that if users are following URLs from external sources, you must ensure that the Email Appliance is accessible to resolve links: Configuration > Network > Hostname & Proxy is the default setting.
Customers who have purchased a Sophos Sandstorm license should do the following:
Sandstorm configuration on the Sophos Web Appliance (Configuration > Policy > Sandstorm).
Configure the following settings on the Sophos Web Appliance:
HTTPS Scanning is enabled in Configuration > Global Policy.
Web filter categories that should be blocked include: Proxies and translators are two types of proxy services. By default, all other harmful URLs (phishing, spyware, spam, and high-risk sites) are blocked, and the virus scanner is turned on automatically.
Customers who have purchased a Sophos Sandstorm license should do the following:
Sandstorm: on Sophos UTM Configuration > Global Policy > Sandstorm
Configure the Sophos UTM according to the following steps:
> Advanced Threat Protection: on Web Protection > Advanced Threat Protection: on Web Protection Select Web Filter Profiles from the Filter Action drop-down menu and then select Edit > Anti-Virus > Anti-Virus Scan: Dual Scan.
Decrypt and Scan > HTTPS > Web Protection > Web Filtering > HTTPS
Web filter categories that should be blocked include:
Anonymizers
Exploits involving web browsers
Malicious downloads
Harmful sites
Spam URLs that are phishing attempts
Anonymized data is collected for the program (also anonymizing utilities)
attack pattern malware on network protection and intrusion prevention: on network protection and intrusion prevention > attack pattern malware on network protection and intrusion prevention
MIME Type Filter > Additional Types to Quarantine: application/vnd.ms-word.document.macroEnabled.12 application/vnd.ms-word.template.macroEnabled.12 application/vnd.ms-excel.sheet.macroEnabled.12 application/vnd.ms-excel.template.binary.macroEnabled.12 application/vnd.ms-powerpoint.
Protect your computer from the web by using Web filter profiles, filter action, and anti-virus protection. Suspicious things should be reported to Sophos Sandstorm: on (from UTM 9.4) Sophos XG Firewall
Sophos XG Firewall
The following are the ATP settings: Protect > Advanced Threat > Advanced Threat Protection on Protect > Web > Settings > Scan Engine Selection > Dual Engine
In each relevant policy rule, the following phrase appears: Web Malware and Content Scanning > Decryption and Scanning of Content HTTPS is enabled.
In each relevant policy rule, the following phrase appears Web Policy containing categories that are prohibited:
Command and Control using Anonymizers
URLs used in Phishing and Fraud Spam