Use Third Wall to protect your environment from Ransomware

Use Third Wall to protect your environment from Ransomware

Ransomware is out there lurking, looking for ways in, then burying itself so it can attack later - with devastating results.  Third Wall can help you make this a lot less scary.

How does ransomware get in?  Phishing, open protocols, piggybacking on macros, all sorts of ways.  Third Wall can help you close many of those entryways.  But what if it still gets in through some other opening?

Third Wall has three different policies you can (and should) use to stop ransomware.  

  • First, get early warning that it has buried itself using the Monitor Event Log Clearing policy.  Why?  Ransomware loves to bury itself so it can attack later, and always tries to cover its tracks.  The most common way for it to do that?  Clear the Event Log.  If it does that, this policy will send you a ticket - a very big red flag for you to investigate now.  

  • Second, when ransomware does finally launch, it usually launches from deep within the AppData folder.  By using the Disable EXE Running from %AppData% policy, you can stop that cold.  It will never launch.*

  • Third, if it still somehow launches, you can find out very quickly and have Third Wall automatically take mitigating actions as the attack is occurring, giving you a rapid-reaction capability you've never had before.  Just turn on the Monitor for Ransomware Attacks policy.  If an attack occurs, Third Wall will send you a ticket, and you can choose to Isolate that computer, run an AV Scan, and even protect your Shadow copies by disconnecting the infected computer from them - all virtually instantly upon detection

So - the only question is why wouldn't you deploy this protection to every computer you have right now.  Great security, easy to use, low cost.  That's Third Wall.

*DETAILS on using Disable EXE Running from %AppData% policy

With the Disable EXE Running from %AppData% policy turned on, you will also likely prevent some legitimate programs from launching from AppData as well.  That's easy to manage - just go the the Automate Dashboard, select Config > Integration > Third Wall tab to globally whitelist those programs.  For further details, see our Operational Instructions.

To add to the Whitelist, you need to go to the Third Wall Integration screen, which will whitelist the EXE across your entire environment.  Open the Automate Dashboard, then select the Config > Integration > Third Wall tab.  On the right you will see the UI.  Simply click the Add button and go from there. 

A couple of important notes:

  • You cannot use wildcards when you specify the pathway; you must use the actual pathway.

  • To find out which EXEs are in AppData, and what their pathways are, type in “%AppData%” into the File Explorer primary location window for any given computer.  Then, type in “*.exe” into the search window of File Explorer, and it will generate a list.  While we cannot guarantee that every computer will have the same exact pathway, that will be the expectation for most installations of these software packages. 

ConnectWise Manage will likely require multiple files to be whitelisted, and each user of Manage will have their own pathway.  Yours may vary, but here is an example of what you may see.  Notice the highlighted variables, which you must fill in with actual pathway information:

%appdata%\ConnectWise\cache\<server name>\<company id>\<user name>\controls\Converter32.exe
%appdata%\ConnectWise\cache\<server name>\<company id>\<user name>\controls\Converter64.exe
%appdata%\ConnectWise\cache\<server name>\<company id>\<user name>\controls\cef\connectwise.exe

With v2.5 and later, you also get a new AppData whitelisting capability for a Client, which gives you the ability to scan through ALL of the computers in a Client, bring back a de-duplicated list of executable files and import those you wish to whitelist.  This is easy to use and makes our protective policy all that more valuable.