Welcome to
Help Desk

Product Updates
Training
Support
Ideas Contact Support

Probable Ransomware Whitelisting

Customers can now whitelist known safe application file extensions, which were detected as Probable Ransomware issues within Secure & Govern. Known safe applications also generate some known Ransomware file extensions. Many of these applications are not widely used and can generate false-positive detections. 

Our approach is to provide the broadest artifact-based Ransomware detection to limit the risk of a Ransomware attack. We also realize a small percentage of customers are leveraging various applications and are experiencing more false-positive detections. Introducing file extension whitelisting allows us to maximize our Ransomware coverage while also addressing higher false-positive rates.

There are two ways to whitelist a file extension. Both are described below

Curently, whitelisted file extensions are only supported for artifact-based detections. Behavior/Entropy-based detections will still be detected for whitelisted file extensions. 

Issue Remediation - Add Whitelist File Extensions 

Issue Reviewers can whitelist file extensions, within the Issues View, by doing the following:

  1. Log into Secure and Govern.
  2. Go to the "Issues" tab
  3. Select an "Open" Probable Ransomware issue
  4. Select "Fix" dropdown options

    secure_probable_whitelisting_3.png

  5. Select "Whitelist File Extensions." The "Whitelist" modal appears pre-populated with the detected file extensions

    secure_probable_whitelisting_8.png

  6. "Remove" extensions that should not be whitelisted or "Add" additional extensions to the whitelist.
  7. Select a "Reason"
  8. Enter "Comments"

    secure_probable_whitelisting_10.png

  9. Select the "Whitelist" and whitelist dialogue appears

    secure_probable_whitelisting_11.png

  10. Select the "Whitelist" again
  11. Extensions are whitelisted. Users can also "Undo" the action if a mistake is made.

mceclip4.png

Analysis Rules Settings - Add Whitelist File Extensions 

Entitled users can whitelist file extensions, within the Probable Ransomware Analysis Rules Settings, by doing the following

  1. Log into Secure and Govern.
  2. Go to the "Settings"
  3. Select "Analysis Rules"
  4. Select "Probable Ransomware"

    mceclip5.png
  5. Select "Add file extension."

    mceclip6.png
  6. "Add" file extensions to the whitelist
  7. Select a "Reason"
  8. Enter "Comments"

    mceclip7.png
  9. Select the "Whitelist," and file extensions are whitelisted

    mceclip8.png

Analysis Rules Settings - Remove Whitelist File Extensions 

Entitled users can whitelist file extensions, within the Probable Ransomware Analysis Rules Settings, by doing the following

  1. Log into Secure and Govern.
  2. Go to the "Settings"
  3. Select "Analysis Rules"
  4. Select "Probable Ransomware"

    mceclip5.png
  5. Go to desired file extension and select the "X" to remove the file extension.
  6. The remove the file extension dialogue appears
    mceclip9.png
  7. Select a "Remove"
  8. The file extension is removed

    mceclip10.png

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful

For technical assistance, please contact us.