This topic describes how EPM provides protection against ransomware, a malicious software designed to block access to a computer system until a sum of money is paid.
| This policy can only be applied to Windows endpoints. |
Overview
The EPM uses the Protect against ransomware policy to detect and/or restrict unauthorized access to sensitive files by unhandled applications. You can handle these applications based on events in the Events Management page. In Detect mode, this policy does not restrict unauthorized access and does not prevent ransomware attacks, although in Restrict mode, this policy prevents ransomware attacks. This policy does not block or elevate unhandled applications in either mode.
| This policy is also applied to computers and users targeted by the following commonly used Privilege Management policies:
|
Before activating ransomware policies
EPM automatically creates two application groups to streamline application management for the Protect against Ransomware policy. Before activating ransomware policy protection, make sure the relevant applications are included in these groups.
| Application group | Description |
|---|---|
| Microsoft Windows Programs (Default Policies) | A group of applications that is automatically included and managed by the Protect against Ransomware policy. |
| Authorized Applications (Ransomware protection) | A group of applications that is automatically excluded from the Protect against Ransomware policy. |
To add applications to these groups
-
In Policies > Application Groups , select one of the above application groups.
-
Click More actions (...) and select Edit to display the application group wizard.
-
Under Scope, add any executables to include in or exclude from the Protect against ransomware policy, and click Save.
For more details about application groups, see Application groups.
Activate the default policy
You can activate this policy in the Default policies page, in a single click.
-
In the Default Policies page, under Privilege Management > Protect against ransomware, click one of the following options to set the policy mode:
Policy setting
Description
Detect
Detect unauthorized access to sensitive files by unhandled applications.
This mode does not restrict unauthorized access and does not prevent ransomware attacks.
Restrict
Restrict unauthorized access to sensitive files by unhandled applications.
This mode does not block or elevate unhandled applications, but it does prevent ransomware attacks.
-
Click Yes to activate the policy with default settings.
Customize and activate the policy
-
In the Default Policies page, under Privilege Management > Protect against ransomware, click Detect or Restrict, then click Edit policy settings.
-
Define the policy action.
-
In Options, add filenames or locations to determine where the policy will be applied. Specify a local filename/location or wildcard matching pattern.
-
In Scope, select Include controlled Windows OS programs to apply this policy to the predefined list of controlled Windows OS programs.
To manage this group of applications, open Policies > Application Groups > Pre-defined Groups > Microsoft Windows Programs. This group is shared by multiple default Privilege Management policies.
-
In Targets, select the target machines for the policy:
Target machines
Description
Machines where this policy is applied
This includes machines in this set, ADcomputer security groups, and users and user groups.
Machines excluded from this policy
This includes machines in this set and ADcomputer security groups.
When applied to target machines, this policy merges with the Detect privileged unhandled applications policy.
-
In Options, add filenames or locations where the policy will be applied. Specify a local filename/location or wildcard matching pattern.
The policy also restricts access to network shares.
To send a notification when an unauthorized access attempt happens, select the type of notification and the message that will be displayed.
-
In Scope, select Include controlled Windows OS programs to apply this policy to the predefined list of controlled Windows OS programs.
To manage this group of applications, open Policies > Application Groups > Pre-defined Groups > Microsoft Windows Programs. This group is shared by multiple default Privilege Management policies.
-
In Targets, select the target machines for the policy:
Target machines
Description
Machines where this policy is applied
This includes machines in this set, ADcomputer security groups, and users and user groups.
Machines excluded from this policy
This includes machines in this set and ADcomputer security groups.
When applied to target machines, this policy merges with the Detect privileged unhandled applications policy.
-
In Extensions, select Extend policy to disable changes to the Windows registry keys to prevent users and applications from changing values for these registry keys, then click Add registry key to specify a registry key path.
To enable users to change a protected registry key value, deactivate this policy extension.
-
-
Click Save to set this policy and activate it immediately.
