Ransomware protection using Symantec Endpoint Security

Symantec has the multiple protections in place to protect customers against targeted ransomware attacks.
Defense in depth is key to blocking ransomware attacks and knowing the attack chain utilized by most groups will help identify security priorities. Combining the features of Endpoint Security will maximize your chances of discovering suspicious activity on your network before payloads can be deployed. See:
Targeted ransomware attacks can be broken down into the following broad phases:
  • Initial compromise
  • Privilege escalation and credential theft
  • Lateral movement
  • Encryption and deletion of backups
The best defense is to block the many types of attacks and know the attack chain that most cyber crime groups use to identify security priorities. Unfortunately, ransomware decryption is not possible using removal tools.
 On Symantec Endpoint Security, deploy and enable the following features. Some features are enabled by default.
Symantec Endpoint Security features
Step 1: Enable file-based protection
Symantec quarantines the following types of files: Ransom.Maze, Ransom.Sodinokibi, and Backdoor.Cobalt
Enable the Antimalware policy.
This policy is enabled by default.
Step 2: Enable SONAR
SONAR’s behavioral-based protection is another crucial defense against malware. SONAR prevents the double executable file names of ransomware variants like CryptoLocker from running.
In an Antimalware policy, click
Enable behavioral analysis
. This option is enabled by default. See:
Step 3: Enable Download Insight
Modify Symantec Insight to quarantine the files that have not yet been proven to be safe by the Symantec customer base.
Download Insight is always enabled, and is part of the
Intensive Protection
policy. To modify the Intensive Protection settings, see:
Step 4: Enable the Intrusion Prevention System (IPS)
  • IPS blocks some threats that traditional virus definitions alone cannot stop. IPS is the best defense against drive-by downloads, which occurs when software is unintentionally downloaded from the Internet. Attackers often use exploit kits to deliver a web-based attack like CryptoLocker through a drive-by download.
  • In some cases, IPS can block file encryption by interrupting command-and-control (C&C) communication. A C&C server is a computer controlled by an attacker or cybercriminal and that is used to send commands to systems compromised by malware and receive stolen data from a target network.
  • URL reputation
    prevents web threats based on the reputation score of a web page. The
    Enable URL Reputation
    option blocks web pages with reputation scores below a specific threshold. (14.3 RU1 and later).
For more information, see:
URL reputation is not enabled by default.
Step 5: Block PDF files and scripts
Use the Allow List and Deny List to prevent known bad files and domains. Click
Deny List and Allow List
. See:
Step 6: Download patches
Download the latest patches for web application frameworks, web browsers, and web browser plug-ins.
  • Discovery scans: The cloud console provides a comprehensive view of files, applications, and executables that appear in your environment. You can view information about the risks, vulnerabilities, reputation, source, and other characteristics that are associated with these discovered items. See:
  • Use discovered items when EDR is enabled. The discovery agent on SES is similar to the unmanaged detector on SEP, but the agent provides much more information about individual files and application. See:
  • Application Control controls and manages the use of unwanted and unauthorized applications in your environment. Application Control on SES is a different feature than on SEP. See:
    • For Symantec Agents 14.3 RU1 and later, use Behavioral Isolation for endpoints that do not use Application Isolation and Application Control. The Behavioral Application Isolation policy identifies how to handle suspicious behaviors that might be performed by trusted applications. You get alerts in the cloud console and a message in-policy when a new behavior signature or an existing behavior signature is available in the policy. You determine whether the behavior is a result of an attack on a file and specify an action on it. See:
Part of Symantec Endpoint Security Complete.
Step 7: Enables Secure Connection
and secure connection settings so that whether on a corporate network, at home or out of office, endpoints have the ability to integrate with Symantec Web Security Service (WSS). Secure Connection redirects Internet traffic on the client to the Symantec WSS, where the traffic is allowed or blocked based on the WSS policies. See:
Step 8: Enable Memory Exploit Mitigation
Protects against known vulnerabilities in unpatched software, such as JBoss or Apache web server, which attackers exploit.
Step 9: Enable Endpoint Detection and Response (EDR)
EDR focuses on behaviors rather than files and can strengthen defenses against spear phishing and use of living-off-the- land tools. For example, if Word doesn’t normally launch PowerShell in the customer environment, then this should be placed in Block mode. EDR’s UI allows customers to easily understand which behaviors are common and should be allowed, which are seen but should still be alerted on, and which are uncommon and should be blocked. You can also address gaps reactively as part of investigating and responding to incident alerts. The incident alert will show all behaviors that were observed as part of the breach and provides the capability to put this in block mode right from the incident details page.
Part of Symantec Endpoint Security Complete.
For more information, see:
Step 10: Enable AI-based protection
Symantec’s targeted attack cloud analytics leverages advanced machine learning to spot patterns of activity associated with targeted attacks.
Part of Symantec Endpoint Security Complete.
Step 11: Enable auditing
Use auditing tools to help you gain insight into your endpoints both on a corporate network and outside of your corporate network before ransomware has a chance to spread.
Unmanaged detectors need to be present to account for endpoints where protection may not be present. See: