Scribd Logo
Upload

Welcome to Scribd!

  • McAfee Corporate KB - Protecting Against Ransom-WannaCry (May 2017) KB89335 PDF

    Uploaded by

    exxgine
    5 views7 pages

    Original Title

    McAfee Corporate KB - Protecting against Ransom-WannaCry (May 2017) KB89335.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views7 pages

    McAfee Corporate KB - Protecting Against Ransom-WannaCry (May 2017) KB89335 PDF

    Uploaded by

    exxgine

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Protecting against Ransom-WannaCry (May 2017)

    SOLUTIONS PRODUCTS SERVICES THREAT CENTER


    Technical Articles ID:   KB89335
    SUPPORT PARTNERS
    Last Modified:  5/12/2017
    Rated:

    Environment

    McAfee products that use DATs

    Summary

    McAfee is aware of a new variant of ransomware that has been detected in corporate environments. Threat Name: Ransom-
    WannaCry (also known as WCry, WanaCrypt and WanaCrypt0r).

    This article will be updated as additional information is available. Please continue to monitor this document for updates.

    Recent updates to this article


    {GENSUB.EN_US}
     
    Date Update

    May 12, 2017 1:05 PM CDT Added synonyms of threat name.

    May 12, 2017 12:30 PM CDT Article created and published.

    This threat exhibits the following symptoms on infected systems:

    Files are encrypted with the .wnry, .wcry, .wncry, and .wncryt extension. End users see a screen with a ransom message.
    On restarting, impacted machines have a blue screen error and cannot start.
    Encryption seen on local host and open SMB shares 

    VirusScan Enterprise (VSE) and Endpoint Security (ENS) Access Protection Proactive Measures

    Use VSE Access Protection rules:

    Rule1:

    Rule Type: Registry Blocking Rule


    Process to include: *
    Registry key or value to protect: HKLM - /Software/WanaCrypt0r
    Registry key or value p protect: Key
    File actions to prevent: Create key or value

    SOLUTIONS PRODUCTS SERVICES THREAT CENTER


    SUPPORT PARTNERS

    Rule2:

    Rule Type: File/Folder Blocking Rule


    Process to include: *
    File or folder name to block: *.wnry
    File actions to prevent: New files being created
    SOLUTIONS PRODUCTS SERVICES THREAT CENTER
    SUPPORT PARTNERS

    Use ENS Access Protection rules:

    Rule1:

    Executable1:

    Inclusion: Include
    File Name or Path: *
    SOLUTIONS PRODUCTS SERVICES THREAT CENTER
    SUPPORT PARTNERS

    SubRule1:

    SubRule Type: Registry key


    Operations: Create
    Target1:

    Inclusion: Include
    File, folder name, or file path: *\Software\WanaCrypt0r
    SOLUTIONS PRODUCTS SERVICES THREAT CENTER
    SUPPORT PARTNERS

    SubRule2:

    SubRule Type: Files


    Operations: Create
    Target1:

    Inclusion: Include
    File, folder name, or file path: *.wnry
    SOLUTIONS PRODUCTS SERVICES THREAT CENTER
    SUPPORT PARTNERS

     
    More information will be posted shortly.
    Please continue to return to this page for the latest updates.

    Affected Products

    Endpoint Security Firewall 10.5.x


    Endpoint Security Firewall 10.2.x
    Endpoint Security Firewall 10.1.x
    Endpoint Security Threat
    Prevention 10.5.x
    Endpoint Security Threat
    Prevention 10.2.x
    Endpoint Security Threat
    Prevention 10.1.x
    Endpoint Security Web Control
    10.5.x
    Endpoint Security Web Control
    SOLUTIONS PRODUCTS SERVICES THREAT CENTER
    10.2.x
    SUPPORT PARTNERS Endpoint Security Web Control
    10.1.x
    Threat Prevention and Removal
    VirusScan Enterprise 8.8

    You might also like