Probable Ransomware Whitelisting

Customers can now whitelist known safe application file extensions, which were detected as Probable Ransomware issues within Secure & Govern. Known safe applications also generate some known Ransomware file extensions. Many of these applications are not widely used and can generate false-positive detections.

Our approach is to provide the broadest artifact-based Ransomware detection to limit the risk of a Ransomware attack. We also realize a small percentage of customers are leveraging various applications and are experiencing more false-positive detections. Introducing file extension whitelisting allows us to maximize our Ransomware coverage while also addressing higher false-positive rates.

There are two ways to whitelist a file extension. Both are described below

Curently, whitelisted file extensions are only supported for artifact-based detections. Behavior/Entropy-based detections will still be detected for whitelisted file extensions.

Issue Remediation - Add Whitelist File Extensions

Issue Reviewers can whitelist file extensions, within the Issues View, by doing the following:

Log into Secure and Govern.
Go to the "Issues" tab
Select an "Open" Probable Ransomware issue
Select "Fix" dropdown options
Select "Whitelist File Extensions." The "Whitelist" modal appears pre-populated with the detected file extensions
"Remove" extensions that should not be whitelisted or "Add" additional extensions to the whitelist.
Select a "Reason"
Enter "Comments"
Select the "Whitelist" and whitelist dialogue appears
Select the "Whitelist" again
Extensions are whitelisted. Users can also "Undo" the action if a mistake is made.