Ransomware protection using
Symantec Endpoint Protection

Targeted ransomware attacks can be broken down into the following broad phases:
  • Initial compromise
  • Privilege escalation and credential theft
  • Lateral movement
  • Encryption and deletion of backups
The best defense is to block the many types of attacks and know the attack chain that most cyber crime groups use to identify security priorities. Unfortunately, ransomware decryption is not possible using removal tools.
Symantec Endpoint Protection Manager
, deploy and enable the following features. Some features are enabled by default.
Symantec Endpoint Protection Manager
Step 1: Enable file-based protection
Symantec quarantines the following types of files: Ransom.Maze, Ransom.Sodinokibi, and Backdoor.Cobalt
Enable the Virus and Spyware Protection policy, which is enabled by default. See:
Step 2: Enable SONAR
SONAR’s behavioral-based protection is another crucial defense against malware. SONAR prevents the double executable file names of ransomware variants like CryptoLocker from running.
In a Virus and Spyware Protection policy, click
Enable SONAR
. This option is enabled by default. See:
Step 3: Modify Download Insight
Symantec Insight prevents ransomware variants by quarantining the files that the Symantec customer base knows are malicious or that haven't yet been proven to be either safe or malicious.
Download Insight is part of the default
Virus and Spyware - High Security
  1. In the console, open the target Virus and Spyware Protection policy and click
    Download Protection
    If adding a new policy, select the
    Virus and Spyware Protection policy - High Security
  2. On the
    Download Insight
    tab, make sure that
    Enable Download Insight to detect potential risks in downloaded files based on file reputation
    is checked.
  3. Check the following default options:
    • Files with
      or fewer users
    • Files known by users for
      or fewer days
    The low default values force the client to treat any file that has not been reported to Symantec by more than five users or for less than 2 days to be treated as unproven files. When unproven files meet these criteria, Download Insight detects the files as malicious.
  4. Make sure that
    Automatically trust any file downloaded from a trusted Internet or intranet site
    is checked.
  5. On the
    tab, under
    Malicious Files
    , keep the first action as
    Quarantine risk
    and the second action as
    Leave alone
  6. Under
    Unproven Files
    , click
    Quarantine risk
  7. Click
Step 4: Enable the Intrusion Prevention System (IPS)
  • IPS blocks some threats that traditional virus definitions alone cannot stop. IPS is the best defense against drive-by downloads, which occurs when software is unintentionally downloaded from the Internet. Attackers often use exploit kits to deliver a web-based attack like CryptoLocker through a drive-by download.
  • In some cases, IPS can block file encryption by interrupting command-and-control (C&C) communication. A C&C server is a computer controlled by an attacker or cybercriminal and that is used to send commands to systems compromised by malware and receive stolen data from a target network.
  • URL reputation
    prevents web threats based on the reputation score of a web page. The
    Enable URL Reputation
    option blocks web pages with reputation scores below a specific threshold. (14.3 RU1 and later).
For more information, see:
URL reputation is enabled by default.
Step 5: Block PDF files and scripts
In the Exceptions policy, click
Windows Exceptions
File Access
Step 6: Download patches
Download the latest patches for web application frameworks, web browsers, and web browser plug-ins.
Do the following:
  1. Use the Application and Device Control to prevent applications from running in the User Profile directories, such as Local and LocalLow. Ransomware applications install themselves into many directories apart from Local\Temp\Low. See:
  2. Use Endpoint Detection Response (EDR) to identify files with ransomware behavior:
    1. Disable macro scripts from MS Office files that are transmitted through email.
    2. Right-click the detected endpoints and select
      . To isolate and rejoin endpoints from the console, you must have a Quarantine Firewall policy in Symantec Endpoint Protection Manager that is assigned to a Host Integrity policy. See:
Step 7: Enable
Web and Cloud Access Protection
and Web Security Service
Web and Cloud Access Protection
and secure connection settings so that whether on a corporate network, at home or out of office, endpoints have the ability to integrate with Symantec Web Security Service (WSS). NTR redirects Internet traffic on the client to the Symantec WSS, where the traffic is allowed or blocked based on the WSS policies.
For more information, see:
Step 8: Enable Memory Exploit Mitigation
Protects against known vulnerabilities in unpatched software, such as JBoss or Apache web server, which attackers exploit.
Step 9: Enable AMSI and file-less scanning
Third-party application developers can protect their customers from dynamic script-based malware and from non-traditional avenues of cyberattack. The third-party application calls the Windows AMSI interface to request a scan of user-provided script, which is routed to the Symantec Endpoint Protection client. The client responds with a verdict to indicate on whether or not the script behavior is malicious. If the behavior is not malicious, then the script execution proceeds. If the script’s behavior is malicious, the application does not run it. On the client, the Detection Results dialog box displays a status of "Access Denied." Examples of third-party scripts include Windows PowerShell, JavaScript, and VBScript. Auto-Protect must be enabled. This functionality works for Windows 10 and later computers.
14.3 and later.
Step 10: Enable Endpoint Detection and Response (EDR)
EDR focuses on behaviors rather than files and can strengthen defenses against spear phishing and use of living-off-the- land tools. For example, if Word doesn’t normally launch PowerShell in the customer environment, then this should be placed in Block mode. EDR’s UI allows customers to easily understand which behaviors are common and should be allowed, which are seen but should still be alerted on, and which are uncommon and should be blocked. You can also address gaps reactively as part of investigating and responding to incident alerts. The incident alert will show all behaviors that were observed as part of the breach and provides the capability to put this in block mode right from the incident details page.
Step 11: Enable auditing
Use auditing tools to help you gain insight into your endpoints both on a corporate network and outside of your corporate network before ransomware has a chance to spread.
Use Memory Exploit Mitigation to test for false positives. See:
Step 12: Set up unmanaged detectors
Unmanaged detectors need to be present to account for endpoints where protection may not be present.
More information