This FAQ applies to:
- Clavister cOS Core and Stream
Can Clavister Firewalls protect users against WannaCry?
There are three ways Clavister can protect against the 'WannaCry' ransomware
Anti-Virus can be used by a protocol that supports anti-virus scanning (HTTP, FTP, POP3, SMTP, IMAP). We have several signatures that have already been successful at identifying and blocking this ransomeware.
To use these signatures just make sure that your Anti-Virus database is up to date and that you are using the Anti-virus either through the ALG or Anti-virus profile in the firewall.
- Intrusion Detection and Prevention
IDP (Intrusion Detection and Prevention) Signatures can also be used to prevent WannaCry from getting in to networks protected by a Clavister Firewall. The IDP signatures are split in to two groups,
IPS->Malware->Commcontrol for the WannaCry specific signatures
IPS->Malware-Campaign for the EternalBlue Exploit signatures.
EternalBlue is the windows MS17-010 Exploit that WannaCry uses to spread once inside a network
- Endpoint Security Client
Clavister ESC (Endpoint Security Client), protects against WannaCry without having to do any specific update, ESC protects against this malware using its zero-day attack prevention capabilities (behavior analysis instead of signature).
- Disconnect infected computers
Disconnect infected computers to avoid furhter damage to your network and data.
- Patch and upgrade
See Microsoft patch reference about the MS17-010 exploit known as EthernalBlue
- Disable the Server Message Block (SMB) service
If your computers does not have an available patch, disable the SMB Service to avoid spreading the malware any further.
- Back up your data on offline hard drives.
The malware encrypts files on external drives such as a USB drives, as well as any network or cloud file stores.
- Do not block URL KILLSWITCH
Make sure that access to the following Killswitch URL is not blocked
http://www.iuqerfsodp9ifjaposdfjhgosuri ... rgwea.com/