Protecting against WannaCry

Frequently Asked Questions
Post Reply
Posts: 4
Joined: 29 Apr 2016, 13:01
Location: Clavister HQ - Örnsköldsvik

Protecting against WannaCry

Post by Ersu » 15 May 2017, 11:39

(Work in progress)

This FAQ applies to:
  • Clavister cOS Core and Stream
Can Clavister Firewalls protect users against WannaCry?

There are three ways Clavister can protect against the 'WannaCry' ransomware
  • Anti-Virus
    Anti-Virus can be used by a protocol that supports anti-virus scanning (HTTP, FTP, POP3, SMTP, IMAP). We have several signatures that have already been successful at identifying and blocking this ransomeware.
    To use these signatures just make sure that your Anti-Virus database is up to date and that you are using the Anti-virus either through the ALG or Anti-virus profile in the firewall.
  • Intrusion Detection and Prevention
    IDP (Intrusion Detection and Prevention) Signatures can also be used to prevent WannaCry from getting in to networks protected by a Clavister Firewall. The IDP signatures are split in to two groups,
    IPS->Malware->Commcontrol for the WannaCry specific signatures
    IPS->Malware-Campaign for the EternalBlue Exploit signatures.
    EternalBlue is the windows MS17-010 Exploit that WannaCry uses to spread once inside a network
  • Endpoint Security Client
    Clavister ESC (Endpoint Security Client), protects against WannaCry without having to do any specific update, ESC protects against this malware using its zero-day attack prevention capabilities (behavior analysis instead of signature).
General tips to protect against WannaCry
  • Disconnect infected computers
    Disconnect infected computers to avoid furhter damage to your network and data.
  • Patch and upgrade
    See Microsoft patch reference about the MS17-010 exploit known as EthernalBlue
  • Disable the Server Message Block (SMB) service
    If your computers does not have an available patch, disable the SMB Service to avoid spreading the malware any further.
  • Back up your data on offline hard drives.
    The malware encrypts files on external drives such as a USB drives, as well as any network or cloud file stores.
  • Do not block URL KILLSWITCH
    Make sure that access to the following Killswitch URL is not blocked
    http://www.iuqerfsodp9ifjaposdfjhgosuri ...

Post Reply