Sophos Ransomware Protection

SSL Reviews
Posted by SSL Reviews

Configuration settings for Sophos Solutions

Sophos technology protects against ransomware by blocking malicious files and internet traffic.

It is important to properly configure your solutions to ensure your protection works.

Notice: Before implementing these changes in a live environment, make sure you test them first.

Sophos Enterprise Console manages Sophos Endpoint

Configure the following settings if you manage Sophos Endpoint Security and Control through Sophos Enterprise ConsoleAnti-Virus and HIPS policy workstations, file servers, terminal servers.

  • On-access scanning
    • Files can be viewed on reading, Rename or WriteOn
    • Check for Adware and PussycatsOn
    • Memory for the scanning system: On
  • Block access to malicious sites
  • Scanning content an on-access scanning
  • Enable file reputation checking: On
  • Sophos Live Protection: On
  • Behavior monitoringOn
    • Detect malicious behavior: On
    • Detect malicious traffic: On
    • Detect buffer overflows: On

For a full list of recommended settings and instructions on how to turn them on, see: Recommended settings for Anti-Virus and HIPS

Configure the following for customers who have Server Protection Enterprise or Endpoint Exploit Prevention license exploit Prevention policy.

  • Enable exploit prevention: On
  • CryptoGuard protects document files against ransomware
    • You can protect yourself from remotely run ransomware
  • WipeGuard provides boot and disk record protection (WipeGuard). On
  • Safe Browsing: Protect critical functions of web browsers
  • Reduce exploits in vulnerable appsOn
    • Protect web browsers
    • Protect web browser plugins
    • Java applications should be protected
    • Protect media applications
    • Protect office applications
  • Avoid hollowing attacks
  • Stop DLLs being loaded from folders that aren’t trusted

You can also use Application Control to prevent users from running JavaScript on your machine. JavaScript attachments in spam emails are a popular method of spreading ransomware. For instructions on how to do this, see: Use Application Control to prevent malicious JavaScript files.

Sophos strongly recommends that you turn on enhanced tamper protection for all managed servers and endpoints.

See Sophos Endpoint Defense: How to enable Enhanced Tamper Protection for further information.

Sophos Central manages Sophos Endpoint

Configure the following Threat Protection settings if you use Sophos Central managed Endpoint Protection.

  • Live protection
  • Enable deep learning: On
  • Real-time scanning of local files and network shares: On
  • Downloads are in a progression
  • Block access to malicious sites
  • Low-reputation files can be detected: On
  • Automated removal of malware
  • Detect malicious behavior (HIPS):On

Sophos Intercept customers who are licensed:

  • CryptoGuard protects document files against ransomware
  • Protect yourself from master boot record ransomware
  • Safe Browsing: Protect critical functions of web browsers
  • Reduce exploits in vulnerable appsOn
    • Protect web browsers
    • Protect web browser plugins
    • Java applications should be protected
    • Protect media applications
    • Protect office applications
  • Protect your processes
    • Avoid hollowing attacks
    • Stop DLLs being loaded from folders that aren’t trusted
    • Protect credential theft
    • Prevent code cave utilization: On
    • APC violations can be prevented
    • Prevent privilege escalation: On
  • Protection with dynamic shellcodes
  • Validate CTF Protocol caller: On
  • Sideloading of insecure modules should be avoided
  • To detect network traffic and command and control servers, On
    • Detect malicious connections to command-and-control servers
    • Protect your network from malicious traffic by using packet inspection (IPS). On
  • Detect malicious behavior: On
  • AMSI Protection (with an enhanced scan for script-based threats
    • Do not remove AMSI registration

You can also use Application Control to prevent users from running JavaScript on your device. JavaScript attachments in spam emails are a popular method of spreading ransomware. For instructions on how to do this, see: Use Application Control to prevent malicious JavaScript files.

Sophos strongly recommends that you turn on enhanced tamper protection for all managed endpoints.

For more information, see Sophos Endpoint Defence: How to Enable Enhanced Tamper Protection

Sophos Server Protection managed by Sophos Central

Configure your server according to the following if you are using Sophos Central managed Server Standard Protection

  • Live protection
  • Real-time scanning of local files and network shares: On
  • Downloads are in progression
  • Block access to malicious sites
  • Low-reputation files can be detected: On
  • Automated removal of malware
  • To detect network traffic and command and control servers, On
  • Detect malicious behavior (HIPS): On
  • To detect network traffic and command and control servers, On

For Sophos Central managedIntercept customers who are licensed:

  • CryptoGuard protects document files against ransomware
    • You can protect yourself from remotely-run ransomware
  • Protect yourself from master boot record ransomware
  • Safe Browsing: Protect critical functions of web browsers
  • Reduce exploits in vulnerable appsOn
    • Protect web browsers
    • Protect web browser plugins
    • Java applications should be protected
    • Protect media applications
    • Protect office applications
  • Protect your processes
    • Avoid hollowing attacks
    • Stop DLLs being loaded from folders that aren’t trusted
    • Protect credential theft
    • Prevent code cave utilization: On
    • APC violations can be prevented
    • Prevent privilege escalation: On
  • To detect network traffic and command and control servers, On
  • Allow Sophos Security Heartbeat(TM).On(requires XG Firewall
  • All Server Protection default features should be enabled

Sophos strongly recommends that you turn on enhanced tamper protection for all managed servers.

See Sophos Endpoint Defense: How to enable Enhanced Tamper Protection for further information.

Sophos Email Appliance

As follows:

  • Configuration > Policy>>> SophosLabs Suspect Attachments for all:On
  • Configuration > Policy>> > Add Rule Type > Time-of–Click ProtectionOn
  • Configuration > Policy > SMTTP Options > Delay QueueOn

Notification: Users following URLs from outside should ensure that the Email Appliance is available to resolve them: Configuration > Network> Hostname and Proxy

ForSophos SandstormCustomers who are licensed:

  • Configuration > PolicyOn

Sophos Web Appliance

As follows:

  • Configuration > Global Policy> HTTPS ScanningOn
  • Block web filter categories: Proxy & translators All malicious URLs (phishing and spyware, spam, high-risk sites, etc.) are blocked automatically. The virus scan is activated.

ForSophos SandstormCustomers who are licensed:

  • Configuration > Global PolicyOn

Sophos UTM

As follows:

  • Advanced Protection > Advanced Threat ProtectionOn
  • Web Protection > Web Filter Profiles > Filter Action > Edit > Anti-Virus > Anti-Virus Scan: Dual Scan
  • Web Protection > Web Filtering> HTTPS > Decrypt and Sca
  • Categories of block web filters:
    • Anonymizers
    • Browser exploits
    • Malicious downloads
    • Malicious sites
    • Phishing
    • Spam URLs
    • Anonymization of program data (and anonymizing utilities) is possible.
  • Network Protection > Intrusion prevention
  • Network Protection > Intrusion Prevention > Attack Pattern
    • Malware
  • Email Protection >SMTP > Malware> MIME Type Filter> Additional Types to Quarantine
    • application/vnd.ms-word.document.macroEnabled.12
    • application/vnd.ms-word.template.macroEnabled.12
    • application/vnd.ms-excel.sheet.macroEnabled.12
    • application/vnd.ms-excel.template.macroEnabled.12
    • application/vnd.ms-excel.addin.macroEnabled.12
    • application/vnd.ms-excel.sheet.binary.macroEnabled.12
    • application/vnd.ms-powerpoint.addin.macroEnabled.12
    • application/vnd.ms-powerpoint.presentation.macroEnabled.12
    • application/vnd.ms-powerpoint.template.macroEnabled.12
    • application/vnd.ms-powerpoint.slideshow.macroEnabled.12
    • application/vnd.ms-powerpoint.slide.macroEnabled.12

ForSophos SandstormCustomers who are licensed:

  • Web Protection > Web Filter Profiles> Anti-Virus > Refer suspicious items To Sophos SandstormOn(starting at UTM 9.4)

Sophos XG Firewall

As follows:

  • Protect > Advanced Threat > Advanced Protection:On
  • Protect > Web > General Settings> Scan Engine Selection > Dual Engine
  • Each policy rule is > Web Malware and Content Scanning> Decrypt & scan HTTPS:On
  • Each relevant policy rule > Web Policy:
    • Anonymizers
    • Command & Control
    • Phishing & Fraud
    • Spam URLs
  • IPS: Protect > Intrusion Prevention > IPS Policies
    • Malware Communication
Tags: