Ransomware Protection

Ransomware Protection prevents the unauthorized modification or encryption of files on agents by "ransomware" threats. Ransomware is a type of malware which restricts access to files and demands payment to restore the affected files.

OfficeScan provides the following methods to protect your environment from ransomware threats.

Note:

To reduce the chance of the OfficeScan agent detecting a safe process as malicious, ensure that the agent has Internet access to perform additional verification processes using Trend Micro servers.

Option

Description

Protect documents against unauthorized encryption or modification

You can configure Behavior Monitoring to detect a specific sequence of events that may indicate a ransomware attack. After Behavior Monitoring matches all of the following criteria, the OfficeScan agent terminates and attempts to quarantine malicious programs:

  1. A process not recognized as safe attempts to modify, delete, or rename three files within a certain time interval.

  2. The process attempted to modify a protected file extension type

Additionally enable Automatically back up files changed by suspicious programs to create copies of files being encrypted on endpoints. After the encryption process completes and OfficeScan detects a ransomware threat, OfficeScan prompts end users to restore the affected files without suffering any loss of data.

Note:

Automatic file backup requires at least 100 MB of disk space on the agent endpoint and only backs up files that are less than 10 MB in size.

The backup folder location on agent endpoints is: <Agent installation folder>\CCSF\module\DRE\data.

Warning:

If Automatically back up files changed by suspicious programs is not enabled, OfficeScan cannot recover the first files affected by a ransomware threat.

Block processes commonly associated with ransomware

Ransomware commonly distributes executable files in specific locations on endpoints before attempting to hijack files. Blocking the processes started from these locations can help prevent the ransomware from being able to hijack files.

Enable program inspection to detect and block compromised executable files

Program inspection monitors processes and performs API hooking to determine if a program is behaving in an unexpected manner. Although this procedure increases the overall detection ratio of compromised executable files, it may result in decreased system performance.

Tip:

Program inspection provides increased security if you select Known and potential threats in the Threats to block drop-down.

Important:

Not supported on Windows Server 2003 without SP2 (or later) and Windows XP 64-bit platforms.