Customers can now whitelist known safe application file extensions, which were detected as Probable Ransomware issues within Secure & Govern. Known safe applications also generate some known Ransomware file extensions. Many of these applications are not widely used and can generate false-positive detections.
Our approach is to provide the broadest artifact-based Ransomware detection to limit the risk of a Ransomware attack. We also realize a small percentage of customers are leveraging various applications and are experiencing more false-positive detections. Introducing file extension whitelisting allows us to maximize our Ransomware coverage while also addressing higher false-positive rates.
There are two ways to whitelist a file extension. Both are described below
Whitelisting a file extension will prevent future artifact-based and Zero-day (Behavioral-based) detections for the whitelisted file extension.
Skip Ahead To...
Issue Remediation - Add Whitelist File Extensions
Analysis Rules Settings - Add Whitelist File Extensions
Analysis Rules Settings - Remove Whitelist File Extensions
Issue Remediation - Add Whitelist File Extensions
Issue Reviewers can whitelist file extensions, within the Issues View, by doing the following:
- Log into Secure and Govern.
- Go to the Issues tab.
- Select an Open Probable Ransomware issue.
- Select Remediate dropdown options.
- Select Whitelist File Extensions. The Whitelist modal appears pre-populated with the detected file extensions.
- Remove extensions that should not be whitelisted or Add additional extensions to the whitelist.
- Select a Reason.
- Enter Comments.
- Click on the Whitelist button and whitelist dialogue appears.
- Click on the Whitelist button again.
- Extensions will be whitelisted. Users can remove the whitelisted file extensions if needed.
Analysis Rules Settings - Add Whitelist File Extensions
Entitled users can whitelist file extensions, within the Probable Ransomware Analysis Rules Settings, by doing the following:
- Log into Secure and Govern.
- Go to the Settings.
- Select Analysis Rules.
- Select Probable Ransomware.
- Select Add file extension.
- Add file extensions to the whitelist.
- Enter Comments.
- Click on the Whitelist button, and file extensions will be whitelisted
Analysis Rules Settings - Remove Whitelist File Extensions
Entitled users can whitelist file extensions, within the Probable Ransomware Analysis Rules Settings, by doing the following:
- Log into Secure and Govern.
- Go to the Settings.
- Select Analysis Rules.
- Select Probable Ransomware.
- Go to desired file extension and click on X to remove it.
- The remove file extension dialogue appears.
- Click on the Remove button.
- The file extension is removed.