Ransomware

IBSIT
IBSIT used Ask the Experts™
on
Good day,

Is there a device or any technology that prevents users from opening emails with ransomware and infecting the network shares?

I believe tiers of protection to help minimize but nothing concrete to stop.

regards,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
I do not know of any artificial intelligence program that will screen out ransomware.

Two solutions:  

1. Top notch Spam Filters - this does most of the heavy lifting.
2. User training - do not open strange emails.
Gregory MillerGeneral Manager
Commented:
Additionally... Host your email with a vendor who also has very good filter processes like Microsoft or Google or others similar.
Commented:
I have Folder Permissions to quarantine in the event of infections of course this is dependent on user rights, Internet Content Filtering, Spam Filtering through SW Device, AV, Update Servers with Latest Updates. I have some of my clients mail are being hosted, i don't have control of SPAM Filtering.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
There are numbers of AI-based filtering softwares but as John stated, I don't know of any that are smart enough to catch all of them. The best thing you can do is train your people not to open things that look suspicious. Even that, though, becomes an issue. We've run into customers in the past that received ransomware from emails disguised as their contacts, or outright from contacts that have been infected. Defensive browsing is always the best option for protection, but like all options, none are perfect. There's always potential for something to slip through. The best we can do currently is make that percentage chance smaller.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You need to determine what you can do about spam filtering. This is the prime defense and I prefer that to user training (which is, of course, necessary). But just not even seeing the emails is the best way.

Ask how you can get control of spam filtering. Change email services if you have to.
Jane UpdegraffSr. Systems Administrator
Commented:
We use Proofpoint as our first line of defense. Links and attachments are scanned and stopped before it ever reaches our mail server. Then, even when the message makes it through, all links are redirected to a proofpoint server where the link is opened in a sandbox and reported as safe or not. That way our users cannot make a mistake by opening or clicking in most cases. But no system is foolproof ... and that's because users can really be foolish (in my experience). That's the kind of filtering John is talking about.
Commented:
At my previous job we used a service called AppRiver. They handled all of the spam filtering offsite and went so far as to blacklist out things we sent them via request. Granted, my former employer was a little too strict on the issue and only allowed whitelist sources to come through. It made correspondence very tedious. I don't suggest going quite that overboard with it.
Distinguished Expert 2018
Commented:
Is there a device or any technology that prevents users from opening emails with ransomware and infecting the network shares?
You can add layers of protection, but there's nothing that's 100% foolproof. Ideally, you have an external email filter in addition to your Sonicwall. Once you're beyond those, endpoint protection products are supposed to handle much of the work.

I've used AppRiver in the past, and they're pretty much like any other service (I used them when working for a MSP). I had no major issue with the filtering itself, especially since we had it set up to send users digests of whatever got caught (remember, no product is perfect). User training, along with a way to report suspicious email, is going to give you one of the biggest returns. That's going to give you information that helps improve the automated aspects.
Commented:
@msnrock We had precisely the same scenario. AppRiver was great, we just had a bit too overly cautious management.

@OP You have to remember with any filtering, too much can be a detriment to your organization. The biggest question you have to ask yourself in that situation is this: What constitutes too much? Generally you want to aim for the best protection with the least hindrance. It's a hard line to achieve and again, no particular service/product will be perfect in that area. It all boils down to the solution that's right for your organization. Ultimately it will be up to your IT department to decide which service provides what they want with the least overall negative footprint.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I use the strongest filtering, look at my quarantine and whitelist what I need to. Better safe than sorry even it it hinders some people.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013
Commented:
You have to remember that the bad guys WANT you to be infected so ANYTHING you use to stop you can feel CONFIDENT the bad guys are actively trying to find ways around.  And even one slipping through can make them thousand$.  Tiered is the only approach.  And while filtering the email is a must, so is web filtering.  Any way you can get infected is a way you can be hit with ransomware so focusing JUST on email is foolish.
Distinguished Expert 2018
Commented:
"Is there a device or any technology that prevents users from opening emails with ransomware and infecting the network shares?" - yes.
Application whitelisting will only allow known, defined code to run. Windows xp already knows this technology (called "software restriction policies"). On enterprise editions, its successor is usable under the name "applocker".

In win10 1709 which will be out next month, there is even a new anti-ransomware technology that relies on this whitelisting principle. Read https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/ - it's called "controlled folder access".
btanExec Consultant
Distinguished Expert 2018
Commented:
If the emails gets into user inbox, nothing will stop users from clicking the links or attachments. There may still have the spam coming in despite best effort check in email exchanges. User is your human firewall. You can consider having SPF and DKIM support in email exchange to reduce the spoofed email counts.

As expert suggested, application whitelisting is definitely a must have. And consider anti ransomware suite like Malwarebytes anti ransomware, HIPS may have its own add on detecting this threat. In fact, we try to reduce Or disable use of SMB and RDP to mitigate mass infection spread. The concern is on common shares used which we also try to restrict and do a cleanup regularly though tedious and migrating away from file shares.

Author

Commented:
I thank you all for your contributions.

regards,
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You are very welcome and I was happy to help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial