Banned and Allowed File Type Configuration

• How to view a security event with a Threat Detector 7 Banned File detection
• How to add Custom File extensions
• How to Manage Banned File Extensions with Enforcement Modes

How to view a security event with a Threat Detector 7 Banned File detection

Ransomware Defender has a dynamic list of 2000 or more known file extensions that are associated with Ransomware.  This list is updated and imported from the Internet when the file is changed.   Some environments use files on the banned extension list and may show up as a detection flagged as Threat Detector 7.  You can view the Threat Detector type from the active events window by clicking the Threat detectors to view the detection type.   When a file on the banned file extension list is detected you may need to allow this file type in your environment by adding it to the whitelist.  Follow the steps below to view which file type was matched to the banned file list.

1. Login to Eyeglass and open the Ransomware Defender Icon
2. Click Active Events
3. Click on the Threat detectors column of the active event you want to check.
4. If you see Threat Detector 7 listed continue below to identify which extension was found on the detection.
5. Click the actions menu
6. Scroll to the bottom of the event history and scroll up to locate the matching file type rule that trip the Threat Detector 7 banned file extension detection.  See the screenshot example below.
   1. 
      
   2. In this example the file extension match was a file with an extension of .locky,  this is not an extension that should ever be whitelisted and used for example only.
7. If the file extension is a legitimate  file type used in your environment you will need to add this file to the allowed extensions list 
8. See the next section to view the files on the allowed list.

How to add Custom File extensions

1. NOTE: Extensions added to this list are anonymous merged into the Superna Defender crowd sourced list that will be published from all Defender deployments worldwide.  Allowing a versioned extension list allows customers to import extensions published from other deployments.  This crowd sourcing function improves the protection available to all customers. 
2. Open Ransomware Defender icon settings-->File Filters tab
3. Click the add filter button to enter a custom file extension. Enter the extension with *.xxx and set the mode to enabled (lockout), Disabled (no detection or lockout) or Monitor mode (detect, snapshot, no lockout).  Click Add.
4.   

How to Manage Banned File Extensions with Enforcement Modes

1. New in 2.5.7 the ability to search the banned file list and and set the mode on each extension to enabled, disabled or monitor mode.
2. Modes: enabled (lockout), Disabled (no detection or lockout) or Monitor mode (detect, snapshot, no lockout)
3. Filter based on built in , custom extensions or both.
4. Filter file extensions by state using the filter box or filter based on builtin extensions or custom extensions.
   1.   
   2.   
5. Search for the extensions by typing letters for the extension,  set the mode  and then click the save button. NOTE: Changes will take effect immediately.
6.   
7. Search for an extension example locky to easily find an extension
8.