Latest update 17/12/2015

T

ECHNICAL

D

OCUMENT

Reference Nr. 20151211/CI/2

Written by Costas Ioannou

Latest update 17/12/2015

F-S

ECURE

C

ONFIGURATION

B

EST

P

RACTICE

A

GAINST ZERO

-

HOUR

M

ALWARE

F-

C

S

(CS)

F-

S

S

(SS)

F-S

E

S

S

(ESS)

The following document is a best-practice configuration for making sure that you get the maximum protection level from F-Secure solution against ransomware and zero-hour malware to maximum.

Many settings are proposed to be locked. This means that end-user at the user inter-face cannot change the setting and thus disable a protection setting.

F-secure Policy Manager Console can work in ‘Antivirus Mode’ and in ‘Advanced Mode’. Some of the settings can be configured only in ‘Advanced Mode’. We indicate which settings are configured in Antivirus mode and which can only be configured in Advanced Mode.

Under each configuration setting (or set of settings) you will find a brief explanation of what this setting accomplishes.

TABLE OF CONTENTS

Best Practice for F-secure Client Security and F-secure Server Security ... 3

Policy Manager Console Antivirus Mode ... 3

Policy Manager Console - Advanced Mode ... 5

Best Practice for F-secure E-mail and Server Security ... 7

E-mail traffic on Exchange... 7

Administrator’s web User Interface ... 7

Disclaimer

The information contained in this document is meant to help the reader in the combat against specific malware. Although utmost care has been taken for the correctness of the information, Inter Engineering does not accept any responsibility for the use, misuse or inability to use the information in this document. Due to the nature of the subject the information provided in this document is or will become incomplete over time. It is the sole responsibility of the reader to judge whether or not to use the information herein and to accept the consequences. If you disagree with this then you should not use this document.

The aim of this document

This document aims to provide the reader a configuration guide on how F-Secure Anti Mal-ware softMal-ware can contribute to protection of an organization against zero-hour malMal-ware.

B

P

F-

C

S

F-

S

S

Policy Manager Console Antivirus Mode Automatic Updates

Automatic Updates > Enabled Automatic Updates = Checked & Locked

- end-user cannot disable automatic updates.

Status > Automatic Updates > Virus Definition Version (column)

- Check that latest updates are installed on all hosts

Real Time protection

Real-Time Scanning > Real Time scanning enabled = Checked & Locked

- end-user cannot disable real-time scanning

Real-Time Scanning > Custom Action on infection = Quarantine Automatically (Locked)

- end-user does not leave infected code in the hard drive by mistake

Zero-hour protection

Real-Time Scanning > Enable DeepGuard = Enabled and Locked

- zero-hour malware detection cannot be disabled by end user. Mandatory for

ransomware protection.

Real-Time Scanning > Action on System Modification attempt = Automatic: Do not ask

Real-Time Scanning > Use server Queries to improve accuracy = Enabled and Locked

- additional method for zero-hour detection by cloud-looukups. Mandatory for

ransomware protection.

Real-Time Scanning > Use Advanced process monitoring = enabled and locked

- additional method for zero-hour detection. Mandatory for ransomware

protec-tion.

Email Scanning on Desktop

Email scanning on desktop is highly recommended especially if you don't have a gateway solution or F-secure on Microsoft-Exchange (ESS). Supports IMAP, POP3, SMTP scanning.

Email Scanning > Enable Incoming e-mail Scanning = enabled and locked

- Email scanning cannot be disabled by user

Email Scanning > Action on incoming infected attachments = Disinfect Attachment (Locked)

- Attempt to disinfect infected attachment. Setting cannot be changed by

end-user

Email Scanning > Action on malformed message parts = Remove Message Part (Locked)

Email Scanning > Scan inside compressed attachments = Enabled and Locked

- Scan inside archives (zip, rar, etc.). Setting cannot be changed by the

end-user

Web Traffic Scanning

Web Traffic scanning on desktop is highly recommended especially if you don't have a gateway/proxy solution protecting web-traffic.

Web Scanning > HTTP Scanning Enabled = Only Included Content Types (Locked)

- Web traffic scanning cannot be disabled by end-user.

Web Scanning > Action on infection = Block (Locked)

- User cannot bypass an infected item and download it.

Browsing Protection > Browsing Protection Enabled = Checked and Locked

- Browsing protection protects browser from vulnerability exploits and blocks

ac-cess to malicious URLs. Setting cannot be disabled by the end-user.

Browsing Protection > Allow users to continue to blocked pages = Disabled and Locked

- End-user cannot bypass the blocking of a malicious page.

Desktop Firewall

Firewall Security Levels > Enabled network quarantine = enabled and locked

- Network quarantine will block host’s access to the network if virus definitions

are old or RTS is disabled.

Firewall Security Levels > Active network quarantine on host if real-time scanning is disabled = enabled and locked

- do not allow network access to endpoint if real-time scanning is disabled

(ex-cept for updating).

Application Control > Do not prompt for applications that DeepGuard has identified = enabled and locked

Application Control > Do not prompt for Applications that identified using Real-time protection network = enabled and clear

Application Control > Do not prompt for applications identified by scan engines = en-abled and clear

- Application Control does not allow unknown applications to connect to the

net-work.

Web traffic scanning Advanced Protection Web Traffic Scanning > Advanced Protection

- These settings can help you block java, flash, pdf, Silverlight, active-x, etc.

content from web-sites. You can implement an aggressive policy where you block the active content from pages by default, and whitelis t only the web-sites you need in order to work. Note that this approach demands more ad-ministration than normal, because you need to whitelist sites that your users are visiting.

Policy Manager Console - Advanced Mode

F-secure Antivirus > Plug-ins > confirm that All plugins (Antimalware engines) are enabled

Real-time scanning

F-secure Antivirus > Settings for Real Time Protection > Scanning Options > File Scanning > Inclusions and Exclusions > Add Extensions Defined in Database = en a-bled + locked

- F-secure may include new extensions in database as new threats may rise.

Exclusions

F-secure Antivirus > Settings for Real Time Protection > Scanning Options > File Scanning > Inclusions and Exclusions > Excluded Objects Enabled = Disabled (locked)

F-secure Antivirus > Settings for Real Time Protection > Scanning Options > File Scanning > Inclusions and Exclusions > Excluded Objects >Disallow User Changes = enabled

F-secure Antivirus > Settings for Real Time Protection > Scanning Options > File Scanning > Inclusions and Exclusions > Excluded Processes Enabled = Disabled (locked)

F-secure Antivirus > Settings for Real Time Protection > Scanning Options > File Scanning > Inclusions and Exclusions > Excluded Processes = empty (locked)

-if you choose and need to enable exclusions the it’s better to define exclusions (objects, processes, paths) into PMC and keep these ‘locked’ so the end -user may not add exclusions at the local UI.

E-mail Scanning on desktop level

F-Secure Antivirus > Settings for E-mail Scanning > Scanning Options > Incoming Email Scanning > Action on Disinfection Failure = Remove attachment (Locked)

- if disinfection of attachment fails, then remove the complete attachment.

F-Secure Antivirus > Settings for E-mail Scanning > Scanning Options > Common > Inclusions and Exclusions > Included Extensions > Check included extensions that have the default extensions to scan.

- Default extensions are: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT

VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ POT MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ANI BAT CMD DOC DOT JOB LSP MHT PHP PPT SWF WMA WMV WMF WRI XLS XLT CLASS DOCX DOCM DOTX DOTM DOCB XLSX XLSM XLTX XLTM XLSB XLAM PPTX PPTM POTX POTM PPAM PPSX PPSM SLDX SLDM PUB

F-Secure Antivirus > Settings for E-mail Scanning > Scanning Options > Common > Inclusions and Exclusions > Included Extensions for Compressed Files > check that they are the default

F-Secure Antivirus > Settings for E-mail Scanning > Scanning Options > Common > Inclusions and Exclusions > Add Extensions Defined in Database Updates = Enabled (locked)

- F-secure may automatically add extensions for scanning based on new threats

rise.

F-Secure Antivirus > Settings for E-mail Scanning > Scanning Options > Common > Inclusions and Exclusions > Excluded Extensions > Check for any 'dangerous' ex-cluded extensions – (see list of inex-cluded extensions above)

Automatic Updates

F-Secure Automatic Update Agent > Settings > Communications > Ask Before Down-load = no (Locked)

- prevent end-user from stopping downloads

Zero-hour Detection

F-Secure DeepGuard > Settings > Exploit protection = enabled (locked)

- protects browser from exploit attempts

F-Secure DeepGuard > Settings > Applications > Check for any 'suspi-cious'/'unknown' application that is allowed by DeepGuard to run

F-Secure Real-Time Protection Network Client > Participate in the Real-Time Protec-tion Network = yes (Locked)

F-Secure Real-Time Protection Network Client > Client is enabled = Yes (Locked) F-Secure Real-Time Protection Network Client > Excluded Domains (Check for any 'suspicious' domain)

- Real-Time Protection Network is F-secure’s Cloud is one of Deep Guard’s

methods for detecting zero-hour malware.

F-Secure Network Filter > Excluded Applications > check for any application that is not necessary to be included here.

B

P

F-

E-

S

S

E-

E

Administrator’s web User Interface

Attachment Stripping

Transport Protection > Inbound Mail > Attachments > Strip attachments from Inbound e-mail messages = enabled

Transport Protection > Inbound Mail > Attachments > Strip these attachments = Disallowed Files

Transport Protection > Inbound Mail > Attachments > Action on disallowed attachments = Drop Attachment

Transport Protection > Inbound Mail > Attachments > Disallowed Files = *.bat,*.cmd,*.com,*.exe,*.hta,*.js,*.jse,*.pif,*.scr,*.shs,*.vbe,*.vbs,*.{*

Transport Protection > Inbound Mail > Attachments > Quarantine stripped attachments = en-abled

- strip incoming dangerous attachments (executables and scripts)

Incoming Virus protection

Transport Protection > Inbound Mail > Viruses > Scan inbound e-mail messages for viruses = enabled

Transport Protection > Inbound Mail > Viruses > Heuristic scanning = enabled

Transport Protection > Inbound Mail > Viruses > Action on infected messages = drop attac h-ment

Transport Protection > Inbound Mail > Viruses > Quarantine infected messages = enabled Transport Protection > Inbound Mail > Grayware > Scan inbound e-mail messages for gray-ware = enabled

Transport Protection > Inbound Mail > Grayware > Action on Grayware = Drop attachment Transport Protection > Inbound Mail > Grayware > Quarantine dropped grayware = enabled Transport Protection > Inbound Mail > Archives > Scan archives = enabled

Transport Protection > Inbound Mail > Archives > List of files to scan inside archives = unsafe files

Transport Protection > Inbound Mail > Archives > Unsafe files = *.ACM, *.APP, *.ARJ, *.ASD, *.ASP, *.AX, *.BAT, *.BIN, *.BOO, *.BZ2, *.CAB, *.CHM, *.CMD, *.CNV, *.COM, *.CPL, *.CSC, *.DLL, *.DO?, *.DRV, *.EML, *.EXE, *.GZ, *.HLP, *.HTA, *.HTM, *.HTML, *.HTT, *.INF, *.INI, *.JS, *.JSE, *.LHA, *.LNK, *.LZH, *.MDB, *.MP?, *.MSG, *.MSO, *.OBD, *.OBT, *.OCX, *.OV?, *.P?T, *.PCI, *.PDF, *.PGM, *.PIF, *.PP?, *.PRC, *.PWZ, *.RAR, *.RTF, *.SCR, *.SHB, *.SHS, *.SYS, *.TAR, *.TD0, *.TGZ, *.TLB, *.TSP, *.TT6, *.VBE, *.VBS, *.VSD, *.VWP, *.VXD, *.WB?, *.WIZ, *.WML, *.WPC, *.WS?, *.XL?, *.XML, *.ZIP, *.ZL?, *.{*, Treatment of Archives files (zip, rar, etc.)

Transport Protection > Inbound Mail > Archives > Excluded these files = <blank>

Transport Protection > Inbound Mail > Archives > Limit max levels of nested archives to 3 / enabled

Transport Protection > Inbound Mail > Archives > Detect disallowed files inside archives = disallowed files / enabled

- enable this setting with caution as it can be resource intensive. On the other

hand it will strip archives (zip, rar, etc.) which contain disallowed (executables and scripts).

Transport Protection > Inbound Mail > Archives > Action on archive with disallowed files = drop archive

Transport Protection > Inbound Mail > Archives > Action on max nested archives = drop ar-chive

Transport Protection > Inbound Mail > Archives > Action on password protected archives = drop archive

- beware that this setting will block password protected archives (zip, rar, etc.)

Transport Protection > Inbound Mail > Archives > Quarantine dropped archives = enabled Miscellaneous Options

Transport Protection > Inbound Mail > Other > Intelligent File type recognition = enabled

- intelligent file type recognition recognizes file types based on their content and

not on their filename extension.

Transport Protection > Inbound Mail > Other > Limit max levels of nested message to 3 / e n-abled

Transport Protection > Inbound Mail > Other > Actions on mails with exceeding nesting levels = drop the whole message

Transport Protection > Inbound Mail > Other > Actions on malformed mails = drop the whole message

Transport Protection > Inbound Mail > Other > Quarantine problematic messages = enabled Storage Protection Real-time scanning

Storage Protection > Real-time scanning > Viruses > Scan mailboxes = scan all mailboxes Storage Protection > Real-time scanning > Viruses > Scan public folders = scan all public folders

Storage Protection > Real-time scanning > Viruses > Scan these attachments = unsafe files Storage Protection > Real-time scanning > Viruses > Exclude these attachments = <blank> Storage Protection > Real-time scanning > Viruses > Actions > Try to disinfect = disabled Storage Protection > Real-time scanning > Viruses > Actions > Quarantine infected attach-ments = enabled

Policy Manager Console Advanced Mode

F-Secure Content Scanner Server > Settings > Virus Scanning > Scan Engines > All engines enabled

F-Secure Content Scanner Server > Settings > Virus Scanning > Action if Engine Malfunctions = Return Scan Error

F-Secure Content Scanner Server > Settings > Virus Scanning > Scan Inside Archives = Ena-bled

F-Secure Content Scanner Server > Settings > Virus Scanning > Suspect Max Nested Ar-chives = Treat as Unsafe

F-Secure Content Scanner server > Settings > Virus Scanning > Suspect Password Protected Archives = Treat As Unsafe

F-Secure Content Scanner server > Settings > Virus Scanning > Scan extensions inside ar-chives > check that they are the default extensions

- default extensions: ACM APP ARJ ASD ASP AX BAT BIN BOO BZ2 CAB CHM

CMD CNV COM CPL CSC DLL DO? DRV EML EXE GZ HLP HTA HTM HTML HTT INF INI JS JSE LHA LNK LZH MDB MP? MSG MSO OBD OBT OCX OV? P?T PCI PDF PGM PIF PP? PRC PWZ RAR RTF SCR SHB SHS SYS TAR TD0 TGZ TLB T SP TT6 VBE VBS VSD VWP VXD WB? WIZ WML WPC WS? XL? XML ZIP ZL? {*

F-Secure Content Scanner server > Settings > Virus Scanning > Extensions Allowed in Pass-word Protected Archives = <empty>