Customers can now whitelist known safe application file extensions, which were detected as Probable Ransomware issues within Secure & Govern. Known safe applications also generate some known Ransomware file extensions. Many of these applications are not widely used and can generate false-positive detections.
Our approach is to provide the broadest artifact-based Ransomware detection to limit the risk of a Ransomware attack. We also realize a small percentage of customers are leveraging various applications and are experiencing more false-positive detections. Introducing file extension whitelisting allows us to maximize our Ransomware coverage while also addressing higher false-positive rates.
There are two ways to whitelist a file extension. Both are described below
Curently, whitelisted file extensions are only supported for artifact-based detections. Behavior/Entropy-based detections will still be detected for whitelisted file extensions.
Issue Remediation - Add Whitelist File Extensions
Issue Reviewers can whitelist file extensions, within the Issues View, by doing the following:
- Log into Secure and Govern.
- Go to the "Issues" tab
- Select an "Open" Probable Ransomware issue
- Select "Fix" dropdown options
- Select "Whitelist File Extensions." The "Whitelist" modal appears pre-populated with the detected file extensions
- "Remove" extensions that should not be whitelisted or "Add" additional extensions to the whitelist.
- Select a "Reason"
- Enter "Comments"
- Select the "Whitelist" and whitelist dialogue appears
- Select the "Whitelist" again
- Extensions are whitelisted. Users can also "Undo" the action if a mistake is made.
Analysis Rules Settings - Add Whitelist File Extensions
Entitled users can whitelist file extensions, within the Probable Ransomware Analysis Rules Settings, by doing the following
- Log into Secure and Govern.
- Go to the "Settings"
- Select "Analysis Rules"
- Select "Probable Ransomware"
- Select "Add file extension."
- "Add" file extensions to the whitelist
- Select a "Reason"
- Enter "Comments"
- Select the "Whitelist," and file extensions are whitelisted
Analysis Rules Settings - Remove Whitelist File Extensions
Entitled users can whitelist file extensions, within the Probable Ransomware Analysis Rules Settings, by doing the following
- Log into Secure and Govern.
- Go to the "Settings"
- Select "Analysis Rules"
- Select "Probable Ransomware"
- Go to desired file extension and select the "X" to remove the file extension.
- The remove the file extension dialogue appears
- Select a "Remove"
- The file extension is removed