Does Everyone Have Outbound Firewall Rules That Block Exe's Used By Ransomware?

Discussion in 'malware problems & news' started by itman, Oct 10, 2016.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Came across the Eset Endpoint tech paper for configuring HIPS and firewall for ransomware:

    http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0ahUKEwjy4Of4t9DPAhUFWD4KHeQlBM8QFghdMAU&url=http://www.nod32.com.hr/Portals/66/PDF/anti-ransomware-techbrief_en.pdf&usg=AFQjCNHN_-B-UcNEaldEAOXbtRNbA78xNg

    Never occurred to me to add firewall rules to block all network traffic for cscript, wscript, and powershell. The 16 bit support exe, ntvdm.exe, doesn't exist anymore in Win 10. None of these processes should be dialing out. I assume most firewall rules running in interactive mode will trigger on outbound execution for these exe's but you never know with ransomware.
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I just block everything outbound that is not whitelisted, using built-in firewall. Since I don't have many programs installed that need to access net, it's not hard to set it up.
     
  3. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes exactly, no need to make special rules. It's very simple, if you're not on the white-list, you're not allowed to run, or to make outbound connections. This also goes for system applications.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.