This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Catching actual noPetya (or similar) actions with IPS possible?

Hello there,

is it possible, to catch actions from actual Ransomware like noPetya with IPS between subnets?

Example: Clients in one subnet, servers in another one. One client is infected by noPetya, which starts encrypting files on a file-share (server-subnet).

Thats a normal file-access via TCP445 (CIFS/SMB). Is this behaviour (ip-/frame-pattern) detectable via ips/snort or does ist just seeing a normal file-access from a client?

If not, how can i prevent the access from infected clients, which on-access-scanner (sophos endpoint) cannot see/recognize the infection due to missing pattern-files (0day)?

Thx,

Manuel

This thread was automatically locked due to age.

Parents

0 BAlfson over 7 years ago

Hi Manuel,

This is the first I've heard of this here. V9 IPS Rules is the current list that might give you an answer. Please share what you find.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 7 years ago

Hi Manuel,

This is the first I've heard of this here. V9 IPS Rules is the current list that might give you an answer. Please share what you find.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data