Issue                     

  • Configure additional ESET Remote Administrator (6.3 and later) Antispam policy settings in ESET Mail Security for Microsoft Exchange Server to protect against Filecoder (ransomware) malware

Solution

                            

Using the default Antispam rules, incoming emails are already being filtered on the mail server itself. This ensures that the attachment containing the malicious dropper will not be delivered in the mailbox of the end user and the ransomware is not able to execute. To further help prevent ransomware malware on your Microsoft Exchange server, create the following policy rules in ESET Remote Administrator version 6.3 or later:

Do not adjust policies on production systems

The following policy settings are additional configurations and the specific settings needed for your security environment may vary. We recommend that you test the settings for each implementation in a test environment before using them in a production environment.


  1. Click Admin Policies, select the Agent policy being applied to your server(s) (your default parent policy) and then click Policies Edit.

    Alternatively, you can create a new policy in ESET Remote Administrator (6.x).
     
  2. Expand Settings and click Server → Rules.
     
  3. Under Mail Transport Protection, click Edit next to Rules.

Figure 1-1
Click the image to view larger in new window

  1. Click Add to create a rule to quarantine common ransomware droppers.

Figure 1-2

  1. Type a name for the new rule, for example “Ransomware droppers”.
     
  2. Under the Condition type section, click Add.

.

Figure 1-3
Click the image to view larger in new window

  1. From the Type drop-down menu, select Attachment name and then click Add

Figure 1-4
Click the image to view larger in new window

  1. Click Enter multiple values and then type in the following file names, pressing Return or Enter on your keyboard after each one:
    • *.js
    • *.hta
    • *.doc
    • *.docm
    • *.xls
    • *.xlsm
    • *.ppt
    • *.pptm
    • *.vbs
    • *.bat
    • *.wsf
    • *.7z
    • *.zip
    • *.rar

Figure 1-5

  1. Click OK twice.
     
  2. Click Add under the Action type section and select your preferred action. In this example, we have selected Quarantine message.


    You can add optional, additional Action types, as follows:

    Delete attachment; Quarantine attachment; Replace attachment with action information; Delete message; Send email notification; Evaluate other rules; Log to event.


  3. Click OK

Figure 1-6

  1. Select the check box next to Dangerous executable file attachments and then click Edit.

Figure 1-7

  1. Click the entry under Condition type to select it and then click Edit.

    The following executable file attachments are processed—if your network environment requires the use of any of these file formats, you can modify which file formats are blocked. Most businesses may want to deselect the .exe and .msi files formats. 


    ESET Mail Security version 6.2.10012 and earlier

    If you are using an earlier version of ESET Mail Security (previous to version 6.3), selecting the "Executable" rule will block all Microsoft Office documents.


    • Windows Executable (*.exe, *.dll,* .sys*, *.drv; *.ocx, *.scr)
    • MS-DOS Executable (*.exe)
    • ELF Executable and Linkable format (for example, Linux) (*.elf)
    • Adobe Flash (*.swf)
    • Java Class Bytecode (*.class)
    • Windows Installer Package (*.msi)
    • Apple OS X Universal binary executable
    • Apple OS X Mach-O binary executable
    • Android executable (*.dex)

Figure 1-8

  1. Click the plus icon  to expand Executable files, select the check box next to each file type you want to allow in your system environment (selecting the check box will deselect the item from being deleted by the Action type that you chose in step 10 above) and then click OK twice.

Figure 1-9

  1. In the Rules window, click Save.
     
  2. If you created a new policy, expand Assign to assign the policy to a group, otherwise, click Finish in the Edit/New Policy – Settings screen. 


Your policy settings will be applied to the target groups or client computers once they check in to ESET Remote Administrator.

The following is an example of the "Ransomware dropper" policy filtering a ransomware dropper, along with a corresponding mail quarantine report

Figure 2-1

Figure 2-2