Configure Ransomware Prevention

Following installation, this documentation contains information that guides you through the process of configuring the Ransomware Prevention add-on for your organization.

How to access the Agent Management interface

All aspects of Endpoint Prevention add-ons are configurable in the Agent Management experience of Insight Platform Home. Your Insight account must have either the Platform Administrator role or a Product Administrator role to access Agent Management:

  1. Go to https://insight.rapid7.com/login and sign in with your Insight account email address and password.
    • If you are not directed to Insight Platform Home upon successfully signing in, open the navigator in the upper left corner of your screen and click Insight Platform Home.
  2. Open Data Collection > Agents > Endpoint Prevention.
    • You can use the dropdown next to Agents to select the organization for which you want to configure your Endpoint Prevention add-on. If you only have access to one organization, it will already be selected.

Task 1: Configure Prevention Groups

The first configuration step for your Ransomware Prevention add-on configuration is determining how your assets with an Insight Agent installed should be grouped.

Prevention group rules and characteristics

The Ransomware Prevention add-on requires that all eligible Insight Agents are associated with a prevention group. These groups are the object to which you attach and configure a prevention policy. For an initial deployment, all your eligible agents are automatically placed in a default prevention group. This group uses the immutable default prevention policy configured by Rapid7 to provide a baseline level of protection when your Endpoint Prevention program is in Active Prevention mode.

Assets can only belong to one Prevention Group

You can create your own custom prevention groups to configure your Ransomware Prevention add-on, but note that each group has exclusive control of the assets within it. An asset can only in one prevention group at a time, and associating an asset with a new prevention group means removing it from its existing group.

Prevention Groups can be empty

Prevention groups do not require assets for the group to be created. This scenario is especially useful when your Ransomware Prevention add-on is already running in Active Prevention mode. Creating an empty prevention group first allows you to prepare a new prevention policy in isolation without affecting your assets and the rest of your Ransomware Prevention configuration. You can return to the prevention group at a later time and assign agents to it when you're ready.

Prevention Groups must be empty to be deleted

Prevention groups are considered in use as long as the group has at least one asset associated with it. Prevention groups with any assets in them are not eligible for deletion. If you decide you no longer require the prevention group, you must move all assets to another custom prevention group or the DEFAULT group before Ransomware Prevention will allow you to delete the group.

Create a prevention group

  1. Click Endpoint Prevention in Agent Management. The Prevention Groups subtab will already be selected.
  2. Click Create Prevention Group. A window will prompt you to name and describe your group.
  3. At this point, you can move on to configure group membership, a prevention policy, and exclusions, or you can elect to finish creating the group and leave configuration for later:

You can configure your prevention groups by adding and removing assets. You can apply filters to make this selection process easier.

Add to a custom Prevention Group during installation

The Insight Agent with Ransomware Prevention supports a command line parameter that you can use to automatically assign the asset to a different prevention group than the DEFAULT group. See the installation guide for instructions on how to do this.

How to use Agent Management's query language

The Ransomware Prevention add-on uses the same query language used by the overall Agents table in the Agent Management interface. Furthermore, any queries you have saved in Agent Management are also available when adding and removing assets within a prevention group.

This query language allows you to select asset-related parameters, such as operating systems and IDs, and pair them with operators and values that you provide. The AND and OR operators also allow you to specify multiple criteria in a single query string. If your selected organization has a large number of assets with the Insight Agent installed on them, filtering what's available for selection with queries will make adding and removing assets within a prevention group much easier.

A practical query example

Consider this example query:

1
agent.platform CONTAINS "server" AND agent.timestamp > 8/1/2023 AND agent.semanticVersion = 3.3.3.27

Chained together with the AND operator, this query will refine your selectable assets to all those who satisfy all these criteria:

  • Assets that contain server in the operating system name (the intention being to retrieve all assets with an Insight Agent installed on them running an edition of Windows Server).
  • Assets with the Insight Agent installed on them that have most recently communicated with the Insight Platform later than August 1, 2023.
  • Assets with the Inisght Agent installed on them that are running exactly version 3.3.3.27 of its software.

To add or remove assets from a Prevention Group:

Assets can only belong to one Prevention Group

Adding an asset to a prevention group will remove it from any prevention group it is already assigned to.

  1. Click Endpoint Prevention. The Prevention Groups subtab will already be selected.
  2. In your Prevention Groups table, select the custom prevention group you want to add or remove assets within and click its table row. The Prevention Group interface will display.
  3. Click Assets on the left navigation.
    • If the group is currently empty, click Add Assets to get started.
    • If the group already has member agents that you want to adjust, click Manage Assets.
  4. The Add or remove Assets interface will display. From here, select if you want to Remove Assets or Add Assets. You can manually select individual assets using their corresponding check boxes, or use a query to multi-select assets.
    • You can enter your query manually by providing input directly in the query field. Click this field to see a list of parameters that you can use. This list will narrow in scope as you enter text.
    • Alternatively, use the Queries dropdown to load any Agent Management query you have saved previously, or any you have used recently.
  5. After you finish selecting which agents should be added or removed within this prevention group, click Add Assets or Remove Assets, depending on which tab you are in.
    • If you click Close, the changes you have made in this interface will not be saved.

Task 2: Configure Prevention Policies

The policy attached to a prevention group is composed of categories of detection logic called prevention engines. Each engine is designed to detect specific threats and instruct the Insight Agent on what action to take when a threat is detected. You can tune the behavior of each engine individually, and select which engines to use collectively, to meet the goals of your Ransomware Prevention add-on.

Prevention policy rules and characteristics

A prevention policy exists solely within a prevention group and has a one-to-one relationship with that group. A group's policy defines what prevention engines should be actively monitoring the prevention group's assets for threats.

You have full configuration control over the policies attached to your custom prevention groups. An exception to this is the DEFAULT prevention group and the default prevention policy attached to it. This policy is immutable and its configuration is maintained solely by Rapid7.

Agent actions

You can separately configure how the Insight Agent will respond to detected threats for each prevention engine in your policy. Overall, the Insight Agent is capable of these actions:

  • Block - The Insight Agent will actively block any threat detected by the prevention engine and generate an alert in InsightIDR. Depending on the context of the threat, this could involve terminating malicious processes, denying access to files, and other active prevention methods.
  • Detection Only - The Insight Agent will take no action other than generating an alert in InsightIDR.
    • This setting functionally disables Ransomware Prevention's ability to play an active role in safeguarding your assets. You may determine that some asset behaviors do not warrant Insight Agent intervention beyond generating alerts in your environment, but be aware that you will need to be responsible for handling threats detected in these circumstances.

Rule priority

Like Agent actions, you can separately configure the priority level of alerts generated by each of your prevention engines in your policy. When your security team sees these alerts in InsightIDR, the priority level you assign here will be tagged in the alert itself.

The Ransomware Prevention add-on supports these priority levels:

  • Low
  • Medium
  • High

These context of these levels should be determined within your security team.

Prevention Engine details

Prevention engines protect your assets from ransomware and other forms of malware that use common types of evasive techniques. The following prevention engines are available for use and configuration in your policies. This section provides a high-level explanation of what each of these engines detect.

Memory Injection Attacks

Some malicious software can inject and hide itself in a legitimate process. The Memory Injection Attacks prevention engine stops fileless threats and blocks code execution from the file system, causing such malware to exit or crash.

More information

Why it’s used

Previously, malware attacks typically involved malicious processes, which either carried out the attack or downloaded a file-based payload with malicious code. These processes were found by threat analysts and security software that listed running processes, distinguishing suspicious processes from legitimate ones.

How it’s used

Malware authors are now aware of this countermeasure and have created a way to circumvent it, using techniques known as process injection or memory injection.

Process and memory injection make it harder for security tools to detect malicious processes. These techniques run malicious code in the address space–the range of valid addresses in-memory, which are allocated for a particular program or process–of a legitimate process or a sensitive OS process. Sometimes, malware also unpacks malicious code into its own process as a form of self-injection, creating a skeleton process that is already present in memory.

How the Ransomware Prevention add-on blocks it

Ransomware Prevention stops fileless and other memory-resident malware from hiding in legitimate processes and evading detection. For example, Ransomware Prevention deceives the malware about its ability to unpack code solely in a process’ memory space without exposing or loading a dynamic link library (DLL) into the process memory, stopping the attack before it does any damage.

Resulting actions

The code injection is blocked from unpacking itself in the destination or targeted process.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the destination process and the malware targeted for injection. It also provides a list of all loaded modules (DLLs) in the process that triggered the alert.

Living-Off-the-Land Attacks

Different from classic forms of malware, a Living-Off-the-Land attack attempts to cause damage by misusing tools that are built into the system. The Living-Off-the-Land Attacks prevention engine blocks the malicious software's ability to leverage such tools to infect an asset.

More information

Why it’s used

Living off the land (LOTL or LOL) is an evasion technique that takes advantage of trusted system utilities, libraries, tools, and components, which are native to the operating system. The operations that this software performs appear to be legitimate, even though they are performed on behalf of a threat actor.

How it’s used

Malware uses LOLbins to perform operations, which appear to be typical. For example, malware can perform lateral movement, download malicious artifacts, and move to another stage of attack without triggering an alert. These operations can use trusted utilities and components, including those that are digitally signed.

How the Ransomware Prevention add-on blocks it

Ransomware Prevention stops unwanted process relationship executions by hiding LOLbins. This makes it impossible for attackers to find them and use them to continue their attack.

Resulting actions

Ransomware Prevention blocks processes from spawning LOLbins’ executions.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the blocked command, which executed the child process.

Malicious Document Attacks

Malicious documents can sometimes misuse features such as macros, scripts, and built-in tools. The Malicious Document Attacks prevention engine disarms the malicious documents' attempts and allows applications to operate without being infected.

More information

Why it’s used

Threat actors use documents to lure victims through phishing or social engineering attacks, allowing them to deliver malicious code and gain a foothold on a machine. Traditional antivirus (AV) tools and threat analysts typically detect malware by comparing the hash of the document file to the malware hashes in their database.

However, it’s more difficult to detect malicious activity in popular software that’s used to open these documents, such as Microsoft Office or Adobe. This software is often misused as an evasive technique, carrying out the document’s malicious code on its behalf while remaining undetected, since the software is considered legitimate.

How it’s used

Malware uses legitimate document software to run macros, open script interpreters, obfuscate malicious code, use add-ons and extensions, download scripts, execute another executable program, and more.

How the Ransomware Prevention add-on blocks it

Ransomware Prevention isolates the document in the container software used to open it by preventing interaction with other script interpreters and executables that appear unusual or risky.

Resulting actions

Ransomware Prevention blocks malware from spawning risky child processes’ executions.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the blocked command that executed the child process.

OS Credential Dumping Attacks

Attackers or malware can sometimes attempt to harvest operating system credentials to gain access to an environment. The OS Credential Dumping Attacks prevention engine protects sensitive files, processes, and other key artifacts to prevent this type of threat.

More information

Why it’s used

It takes multiple steps for ransomware to be successful, including shutting down security controls and accessing restricted information to hold for ransom. Spreading through a network requires lateral movement, where attackers can attempt to dump credentials, allowing them to obtain account logins that enable their malware to move laterally.

How it’s used

Adversaries might attempt to access credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS). They can deploy tools that allow them to extract this data, exploit legitimate applications and processes, and use LOLbins to dump sensitive, credential information.

How the Ransomware Prevention add-on blocks it

Ransomware Prevention cloaks sensitive files, processes, and other artifacts, preventing attackers or their malware from harvesting credentials or other sensitive data—even if the threat finds a way to run on the system.

Resulting actions

Ransomware Prevention monitors API calls that attempt to access credentials stored in process memory of the LSASS, preventing access to this area and snapshot dumping using a LOLbin.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the sensitive asset where credential harvesting was attempted. It also provides the block command line involved in the attempt.

File and Process Manipulation Attacks

Malicious software can attempt to manipulate other software applications and processes to gain access to an asset’s internal files. This prevention engine prevents malware from making deceptive modifications to files and processes.

More information

Why it’s used

Traditional antivirus (AV) tools and threat analysts typically detect malware by comparing the hash of a file or process with the malware hashes in their database. Additionally, file systems often require dedicated permissions or access controls.

Making too many changes on a file system can trigger existing endpoint security controls, which block malware activity. However, legitimate programs with direct access can read and write files directly from the drive by analyzing file systems. These programs can access sensitive or vulnerable files in a way that doesn’t raise suspicion.

How it’s used

To avoid detection, adversaries abuse programs that already have direct access to file systems and can read and write files directly from the drive. These programs can be used to access sensitive files and then read, write, or execute on the malware’s behalf. This technique can bypass Windows file access controls and file system monitoring tools.

How the Ransomware Prevention add-on blocks it

To prevent the evasive techniques that exploit access to a file system, Ransomware Prevention can control access to the file system, making it inaccessible or unchangeable.

Resulting actions

Ransomware Prevention blocks attempts from the malicious process to access restricted file systems by manipulating the access controls to the file or path.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the blocked path that the process attempted to reach.

Data Encryption Attacks

Malicious software, particularly ransomware, can introduce processes that silently encrypt files. If this behavior is detected, the Ransomware Prevention add-on will terminate the destructive process.

More information

Why it’s used

Encryption occurs often in a Windows OS and is not necessarily malicious. Many built-in and third-party tools use native OS functions and methods of encryption to meet their functional requirements. These encryption methods, which are usually unmonitored, are often time and resource intensive.

Encryption makes it harder for endpoint security tools and threat analysts to identify ransomware as malicious. However, once the ransomware is detected, a signature is immediately created, preventing further infections.

How it’s used

Malware authors are aware of this technical challenge and have created a way to avoid it, using hidden or nested threads that allow them to execute their malicious code quickly while remaining unnoticed.

How the Ransomware Prevention add-on blocks it

Ransomware Prevention blocks ransomware’s attempts to hide in process threads. Instead of monitoring the encryption method itself, Ransomware Prevention monitors suspicious thread activities, rendering this technique ineffective.

Resulting actions

Ransomware Prevention terminates the process initiating hidden or nested threads.

Forensic information available in alerts

In addition to the standard details, the resulting alert provides information about the process that initiated the attack.

Configure a Prevention Policy

  1. Click Endpoint Prevention in Agent Management. The Prevention Groups subtab will already be selected.
  2. In your Prevention Groups table, browse to the custom prevention group you want to configure a policy for and click its table row. An interface with the prevention group details will display.
  3. Click Prevention Policy in the left navigation. The policy will be locked initially, so click Edit to unlock all configuration options.
  4. Use the sliders to select which prevention engines the policy should use.

Make your prevention engine choices carefully!

If you turn off an engine for this policy, Insight Agents associated with this prevention group will be unable to detect, and therefore, unable to alert and act on any threat this engine would have otherwise detected. If you choose to turn off a prevention engine, do so carefully and with clear intentions.

As an alternative to turning off a prevention engine, consider keeping it enabled in Detection Only mode so you continue to receive alerts on detected activity.

  1. Configure what action the Insight Agent should take for each engine and what priority their corresponding alerts should be tagged with.
  2. Click Save when finished, or Cancel to abandon your progress and return the policy to its prior saved state.

Task 3: Configure Tamper Protection and Password Protection

Attackers often attempt to tamper with endpoint security solutions, so that they can freely perform malicious activities without being detected.

The Tamper Protection engine contains rules that protect the Insight Agent components powering the Ransomware Prevention add-on, therefore protecting your assets continuously. When Tamper Protection is turned on, it prevents malware and bad actors from tampering with the files and functionality of Ransomware Prevention. It also offers the option of turning on Password Protection.

Using a one-time passcode (OTP) or a fixed password allows you to limit the users who can update, stop, or uninstall the Ransomware Prevention add-on. You can activate password protection at both the organizational level and for individual prevention groups that require extra security.

Types of password protection

You may find that you are unsure when to choose between a one-time passcode and a fixed password. Use this guidance to help you make the right decision and provide maximum protection for your assets:

  • One-Time Passcode (recommended) - After you enable Password Protection, the system begins generating a passcode at regular intervals. This passcode can be viewed and used for a limited amount of time to update, stop, or uninstall Ransomware Prevention (see the steps for setting the validation window). After the passcode expires, a newly generated passcode can be used. This passcode is valid even when the machine is disconnected from the Insight Platform.
  • Fixed Password - In addition to the one-time passcode, you can set an optional, fixed password. Having a fixed password is useful when you want to update your Insight Agents or uninstall them, because these tasks can take some time to complete and the OTP becomes impractical. You can use a fixed password across the entire organization, which covers all prevention groups, or you can specify a password for individual prevention groups, which will override the central password. This is useful in situations where your organization has a large number of prevention groups and multiple group administrators, because each admin can use a specific password to manage the groups that are assigned to them.

Password Protection is dependent on Tamper Protection being active

Password Protection can be enabled and configured only when Tamper Protection is turned on.

How to turn Tamper Protection on or off

Tamper Protection is enabled by default, both at the organizational level and for any newly created prevention group. For continuous protection from attacks, it is recommended that you keep it enabled. However, there are some situations where you might need to turn it off.

To turn Tamper Protection on or off:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention and select Security Settings in the left navigation.
  3. Turn the Tamper Protection toggle on or off.

Tamper Protection actively protects all of the prevention groups in your organization. However, if you decide that one or more prevention groups require no protection, you can turn it off.

To turn Tamper Protection on or off for a prevention group:

  1. Click Data Collection > Agents.
  2. Select Endpoint Prevention > Prevention Groups.
  3. Select the prevention group you want to modify.
  4. Select Security Details in the left navigation.
  5. Turn the Tamper Protection for Windows toggle on or off.

Tamper Protection works in Active Prevention mode only

For Tamper Protection to be effective, ensure that the activation mode is set to Active Prevention. Read more about activation modes.

How to turn Password Protection on or off

Password protection ensures that users cannot update, stop, or uninstall Ransomware Prevention without either a passcode or a password.

Password protection is disabled by default and must be switched on before you can use it.

You can apply password protection to the entire organization or set a specific password on an individual prevention group.

To turn password protection on or off:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention and select Security Settings in the left navigation.
  3. Ensure that the Tamper Protection toggle is turned on.
  4. Turn the Password Protection toggle on or off.

To turn password protection on or off for a prevention group:

  1. Click Data Collection > Agents.
  2. Select Endpoint Prevention > Prevention Groups.
  3. Select the prevention group you want to modify.
  4. Select Security Details in the left navigation.
  5. Ensure that the Tamper Protection toggle is turned on.
  6. Turn the Password Protection toggle on or off.

Get the one-time passcode

The one-time passcode is the most secure option, because the passcode refreshes after a short interval and cannot be guessed by attackers.

Because you must enter the passcode in the update, stop, or uninstall commands, you must decide the validation window that you can allow before the passcode expires.

To get the one-time passcode:

  1. Click Data Collection > Agents.
  2. Select the Endpoint Prevention tab and click Security Settings.
  3. Under Password Protection, click Get One-Time Passcode.
  4. The One-Time Passcode modal displays, where you can copy and paste the passcode into a text editor or directly into your command prompt.

The remaining time is displayed, which tells you how much time you have to use that passcode before it expires and a new one is generated.

To set the validation window:

  1. Click Data Collection > Agents.
  2. Select Endpoint Prevention and select Security Settings in the left navigation.
  3. Under Password Protection, click Edit Validation Window.
  4. Select a time frame.
  5. Click Save.

Use a short validation window for better protection

To limit the security risk, it is recommended that you select the shortest validation window possible.

Create a fixed password

The fixed password is an optional setting for the Ransomware Prevention add-on. It isn't required, because by configuring a fixed password, you increase the risk of a security breach. By comparison, one-time passcodes are more secure and are therefore recommended.

However, a fixed password can be useful when your Insight Agent configuration work will take longer than a one-time passcode will allow. For example, updating or uninstalling multiple Insight Agents can take some time and sometimes require multiple users to complete.

When you no longer need your fixed password, it is best to remove it and use a one-time passcode.

Note: Because your password is used as a parameter in a command, it must not contain characters that will abort the command. For example, these characters are invalid for a fixed password: < > " : * ? \ / |

To create a password:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention and select Security Settings in the left navigation.
  3. Under Password Protection, click Create Password.
  4. Enter a password and confirm the password you entered.
  5. Click Save.

To create a password for a prevention group:

  1. Click Data Collection > Agents.
  2. Click Endpoint Prevention > Prevention Groups.
  3. Select the prevention group you want to modify.
  4. Under Password Protection, click Create Password.
  5. Enter a password and confirm the password you entered.
  6. Click Save.

Task 4: Create Exclusions

You can instruct your Ransomware Prevention add-on to exclude asset behavior that would otherwise trigger a response from your prevention policies.

Exclusions are dependent on the prevention engines included in your license

Each prevention engine detects and alerts on certain asset behaviors, so exclusions are relative to those behaviors. If some of the exclusions documented here do not appear in your environment, check your license or contact Rapid7 if you wish to upgrade.

Exclusion rules and characteristics

In general, exclusions in Ransomware Prevention should be approached with more caution and consideration than similar exclusion capabilities offered by other Rapid7 features.

At its strictest level, Ransomware Prevention is designed to intervene automatically when a threat is detected. Excluding certain behavior from this intervention also means increasing the risk to your assets.

Ultimately, your business is in the best position to know what level of risk is acceptable in your environment and what asset behaviors can be safely ignored, but any exclusions you create in Ransomware Prevention should be clearly intentioned nonetheless.

Exclusion types

While you may want to create some exclusions proactively, you may also need to create them after you receive an alert in InsightIDR about benign activity.

When creating an exclusion proactively, without the context of a given alert, the available exclusion types are Path and Hash. However, when creating an exclusion from an alert you received in InsightIDR, the Insight Platform will provide the applicable exclusion type based on the alert type and associated Prevention Engine.

That means not all exclusion types are available for every alert. In addition, in some cases the process that triggered an alert is a container, sensitive, or generic process. The Insight Platform may adjust the applicable exclusion for these processes to give more granular exclusion. This is intended behavior to avoid security exposure.

Criteria you can exclude

You can exclude these types of detectable criteria from the Ransomware Prevention add-on:

  • SHA256 hash values
  • Paths - Allows you to exclude a file path on your assets.
    • This exclusion type is useful if your assets run software or services at a specific location and you want to ensure that Ransomware Prevention does not impact how these tools operate.
  • Extensions - Allows you to exclude an entire file type.
    • This exclusion type is useful if your assets use a specific file format regularly that you don't want Ransomware Prevention to scan.
  • Process - Allows you to exclude an executable (.exe) process path on your assets.
  • Certificate - Allows you to exclude a digitally signed process by its certificate details. You can also choose the level at which the process certificate details are identified:
    • Publisher - Any executable process signed by the publisher information found in the certificate is excluded.
    • Product - Any executable process signed by the publisher and with the product definition found in the certificate will be excluded.
    • File name - Any executable process signed by both the publisher and product and file name will be excluded.
  • Script - Allows you to exclude a specific script or command that a process is attempting to execute.
  • File Access - Allows you to exclude specific directories or files that a process is attempting to reach.

Supported criteria for prevention engines

Depending on the alert type and context, this table indicates the attributes that prevention engines are monitoring and the types of exclusions that are allowed:

Prevention EnginePathHashProcessExtensionScriptFile AccessCertificate
Memory InjectionXXX
Malicious DocumentXX
Living-0ff-the-LandX
OS Credential DumpingXXX
File and Process ManipulationXX
Data EncryptionXXX

Scope of exclusions

You can apply exclusions to all of the prevention groups in your organization – these are called Global Exclusions. You can also apply them to individual prevention groups during the creation or editing process, meaning the exclusions will apply only to the agents within that group.

Configure an exclusion

  1. In your Agent Management experience, click Endpoint Prevention.
  2. Determine whether you want the exclusion to be Global or prevention group-specific:
    • For Global exclusions, click the Global Exclusions subtab and click Create Global Exclusion. The exclusion creating window appears.
    • For prevention group-specific exclusions, click the Prevention Groups subtab and click on the prevention group for which you want to create an exclusion. Select Exclusions from the left navigation and click Create Exclusion. The exclusion creation window appears.
  3. Select the operating system.
  4. Select the exclusion type.
  5. Based on the type you selected, enter a value as prompted by the example shown.
  6. If desired, give the exclusion a description.
  7. Click Save when finished.

You can edit both Global and prevention group-specific exclusions from the same location you create them from.

Wildcards

Exclusion data will often need to be flexible due to dynamic paths and command line arguments. Exclusions for Rapid7's Ransomware Prevention supports path-based wildcards and wildcards for script/file access based exclusions.

Asterisk can be used to replace any character following it. For example, c:\{myfolder}\*\abc.exe will replace anything from the asterisk until the next character.

Question marks are used to replace a single character. For example, ?:\{myfolder}\abc.exe could apply to both C:\{myfolder}\abc.exe and D:\{myfolder}\abc.exe.

Wildcards for path-based exclusions

Excluding a process or file path may need to be flexible since paths may differ, or may be dynamically used by the same process.

You can use an asterisk wildcard in the path to represent any folder and sub-folders. If you need to exclude an entire folder, you must place the wildcard at the end of your exclusion path.

For example, C:\{myfolder}\* would apply to any executable that resides directly in the {myfolder} folder and all its sub-folders.

Required formatting

Creating a path-based exclusion without an asterisk at the end will not have an effect.

Wildcards for script/file access based exclusions

When you recieve an alert from one of the Prevention Engines that can be excluded using script or file access (see table above), wildcard exclusions can be used to replace strings in the blocked command or path that are likley to be changed every time the alert is triggered.

You can use wildcards so they match multiple alerts (multiple blocked comman lines or blocked paths), so a single exclusion will cover all potentially similar alerts.

Sometimes the same process will produce multiple alerts that appear the same, however the excluded command or path are slightly different. You can use wildcards to replace the section of the exclusion that will dynamically change. For example, if you have two alerts that contain process.123.exe and process.456.exe, you can use process.*.exe to exclude both these alerts at once.

Task 5: Change the Activation Mode

Your Ransomware Prevention add-on can operate in one of two possible activation modes: Monitor Only and Active Prevention. Like all settings in Agent Management, you configure this activation mode on a per-organization basis:

  • Monitor Only - Your Insight Agents will not take any of the actions dictated by your prevention policies when threats are detected, but monitoring will continue nonetheless. When threats are detected, these events will be logged and alerts will still be generated.
    • This is the default mode for Ransomware Prevention and allows you to complete all necessary configuration tasks before you're ready to switch to Active Prevention.
    • If you need to troubleshoot your Ransomware Prevention add-on configuration, you can switch back to Monitor Only for this purpose.
  • Active Prevention - Your Insight Agents will actively respond to detected threats with the actions dictated by your prevention policies. All such, events will be logged and sent to InsightIDR for analysis and further action, if necessary.

How to switch between activation modes

You can switch between Monitor Only and Active Prevention at any time in the Endpoint Prevention tab:

  1. In your Agent Management experience, click Endpoint Prevention.
  2. Click Activation Mode.
  3. Change your activation mode selection as necessary.
    • If you've finished configuring your Ransomware Prevention add-on and you're ready to enable Active Prevention for the first time, do so now.
    • If you need to troubleshoot your Ransomware Prevention add-on, switch to Monitor Only for the duration to avoid any disruption in your environment.
  4. Click Save Changes to finish.