Threat Detection and Response Host Sensors for Windows include Host Ransomware Prevention (HRP), which can identify and quarantine files and stop processes with malicious behavior that is characteristic of ransomware. The addition of machine learning to HRP results in faster detection rates.
You can enable Host Ransomware Prevention in one of two modes:
- Detect — Host Sensors find processes and files with characteristics of ransomware and send reports about them to your Threat Detection and Response account for manual intervention.
- Prevent — Host Sensors detect, automatically end processes, and place files with characteristics of ransomware in quarantine before the ransomware encrypts files. Host Sensors send reports about this activity to your Threat Detection and Response account as an indicator that is already mitigated. If the Host Sensor cannot successfully complete the HRP Prevent action, this information is also sent to your TDR account for manual intervention.
Analysts can configure Host Ransomware Prevention mode in Configure > Threat Detection > Settings in WatchGuard Cloud. When enabled in either Prevent or Detect mode, the Host Sensor creates hidden decoy folders and files on the endpoint. If the user deletes the hidden files, the Host Sensor automatically creates them again the next time it starts.
HRP Actions and Threat Scores
When HRP is configured in Prevent mode, the Host Sensor attempts to take immediate action to kill and quarantine ransomware before it can execute and encrypt files. This action occurs immediately, even if the Host Sensor cannot connect to your TDR account or the Internet.
The next time the Host Sensor connects to your TDR account, it sends a report of the HRP event and information about any actions it took. ThreatSync creates an indicator for the HRP event and assigns a Threat Score.
In Prevent mode:
- If the Host Sensor remediation action succeeded, the HRP incident is assigned a Threat Score of 1 (Remediated)
- If the Host Sensor remediation action failed, the HRP incident is assigned a Threat Score of 10 (Critical)
In Detect mode, all HRP incidents are assigned a Threat Score of 7 (High).
The information in the HRP chart is a visual representation of the behavior summary of the HRP indicator. The Host Ransomware Prevention Chart shows the processes spawned and the behaviors triggered during the attack on your network prior to being killed as an interactive flow chart. You can export the chart as an image.
The chart opens in a compact format. You have several options to progressively display additional information:
- Click the + in a process node to see the behaviors related to the process.
- Hover over a process or behavior to see the details.
- Click on a behavior or process node to highlight related behaviors and processes.
Because ransomware can create multiple processes, an HRP indicator can include actions to kill multiple processes or quarantine multiple files related to the detected threat. You can view information about HRP indicators from the Monitor > Threatsync > Indicators page or, if the indicator has been remediated, the Monitor > Threatsync > Remediations page.
To filter the list to show only HRP indicators:
- Select ThreatSync > Indicators.
- Click to clear all filters.
- At the top of the Indicator column, select Host Ransomware Prevention.
If an HRP indicator is remediated, the threat score is 1 on the Indicators page. This threat score is not selected in the default Score filter. To see only remediated HRP indicators, see the Threatsync > Remediations page.
To see a detailed list of all actions and files related to an HRP indicator:
- In the Indicator column for an HRP indicator, click Additional Info.
The Additional Host Ransomware Prevention information dialog box opens.
- In the Threat Details section, click Details.
The Behavior summary dialog box opens, with a list of actions taken for all files related to the indicator.
- To see a complete list of actions for the indicator, click the here link at the bottom of the list.
The Action Log for this indicator opens.
- For a visual flow chart of the behavior summary, in the Threat Details section, click Chart.
The Host Ransomware Prevention Chart View appears in a compact format with only the processes shown.
For more information about the Indicators page, see Manage TDR Indicators.
For more information about the Remediations page, see Monitor TDR Remediations.
HRP Actions and Quarantined Files
The Host Sensor can quarantine one or more files as part of an HRP action. You can see the Quarantine File actions in the details for the HRP indicator, as described in the previous section.
To remove files related to an HRP indicator from quarantine, execute the Unquarantine HRP action for the indicator. For more information, see Remove a File from Quarantine.
HRP Actions and the Allowlist
To prevent ransomware, the Host Sensor takes immediate action to kill the process, even before it sends the MD5 to TDR for analysis. This means that if you add the MD5 of a file to the Allowlist, the Host Sensor can still kill the process if it is detected as ransomware.
If you want the Host Sensor to ignore a file, even if it has the characteristics of ransomware, you can add an Exclusion for the directory location. The Host Sensor gets the exclusion list when it starts up, and when the exclusion list is updated. For more information, see Configure TDR Exclusions.