This article documents the Triofox Ransomware policies and offer recommendations for settings based on best practices.
There are a number of Ransomware policies that may be modified using the Ransomware Protection Settings. This screenshot shows the Ransomware policies that are available in the Ransomware Protection Settings:
In most cases it is recommended to alter the Control Panel > Retention Policy such that files can be recovered if there is an issue.
Each Ransomware policy is described below with a recommended setting. The justification for each recommendation is also described below.
- Only allow the following processes to update files (empty: allow all, separate using semicolon (;), i.e. winword.exe;excel.exe): <empty>
This should typically be left empty allowing any executable to update files in the Cloud Drive. If you only wish to allow certain executable to update files in the Cloud Drive, then define that list here.
- The following executables will not be allowed to open files directly from the cloud drive (i.e. qbw32.exe;excel.exe): cmd.exe;cscript.exe;wscript.exe;powershell.exe;python.exe;vsserv.exe
This should be set to include: cmd.exe;cscript.exe;wscript.exe;powershell.exe;python.exe
Executables in this list will be prevented from accessing files in the Cloud Drive. Because some malware spreads via scripts, including the most popular scripting engine can go a long way toward preventing malware from spreading.
The vsserv.exe entry prevents the Bitdefender real-time scanning engine from accessing the Cloud Drive. Bitdefender should be prevented from scanning the Cloud Drive, else the user PC's client cache will fill up. More info: https://www.bitdefender.com/support/what-is-the-vsserv-exe-process-1116.html
- Disable a device if the device changes more than n files in 10 minutes: <some value after testing>
This setting should probably read: Disable a device if the device changes more than n files within a 10 minute window
The way this works is the server code maintains a counter over a 10 minute window that counts the file changes made by each client. After the 10 minute window, the counter for each client is reset to zero. If within that 10 minute window a client exceeds the file change count defined in this setting, then that client will be disabled. It is important to note that a client could be disabled in less than 10 minutes if this value is exceeded within the 10 minute window. For example, suppose this value was set to 100 and a client changed 101 files in less than a minute within the 10 minute window, then the client will be disabled in less than a minute, not in 10 minutes or at the end of the 10 minute window, but as soon as this value is exceeded. However, if this setting was 100 and a client changed 100 files in less than a minute and in the next 9 minutes no additional files were changed then the client would not be disabled.
It is difficult to recommend a specific number for this setting. This setting is extremely useful to prevent malware (especially ransomware) from spreading, but setting this number too low risks disabling legitimate access from a device. It is recommended that this value be set to prevent ransomware but testing and monitoring of clients must be done to ensure that the number selected is not too low to block legitimate access.
When the client is disabled by this policy the Triofox Windows Client is logged out and this message is displayed if the user attempts to sign in:
When a client is disabled it will be displayed in the Device Manager. Set the Status=Rejected then click the SEARCH button:
To re-enable the client, go to devices and click the Toggle switch on the top right of the device.
- Ignore the following processes when applying the above policy (i.e. qbw32.exe; excel.exe):<empty>
It is also difficult to make a recommendation for this setting but this list could include executables that normally change files frequently. This should only be set for apps after testing. For example, the Microsoft Office apps have the ability to autosave on a regular basis. It is unlikely that these apps could trigger the Disable a device if the device changes more than n files in 10 minutes but testing could show that it is necessary to exclude some executables that frequently change files.
- Disable uploading of files whose named contain the following text patterns: <empty>
- Disable uploading of files whose names start with the following strings: <empty>
- Disable uploading of files whose names end with the following strings: <empty>
The last three setting can be useful to prevent further spread of ransomware because ransomware often renames files with a fixed pattern (in order for the ransomware to later decrypt affected files). If the pattern in known, then one or more of these settings can be used to prevent affected files from being uploaded to the Cloud Drive.