Administration Guides

Banned and Allowed File Type Configuration

Home



How to view a security event with a Threat Detector 7 Banned File detection

Ransomware Defender has a dynamic list of 2000 or more known file extensions that are associated with Ransomware.  This list is updated and imported from the Internet when the file is changed.   Some environments use files on the banned extension list and may show up as a detection flagged as Threat Detector 7.  You can view the Threat Detector type from the active events window by clicking the Threat detectors to view the detection type.   When a file on the banned file extension list is detected you may need to allow this file type in your environment by adding it to the whitelist.  Follow the steps below to view which file type was matched to the banned file list.


  1. Login to Eyeglass and open the Ransomware Defender Icon
  2. Click Active Events
  3. Click on the Threat detectors column of the active event you want to check.
  4. If you see Threat Detector 7 listed continue below to identify which extension was found on the detection.
  5. Click the actions menu
  6. Scroll to the bottom of the event history and scroll up to locate the matching file type rule that trip the Threat Detector 7 banned file extension detection.  See the screenshot example below.

    1. In this example the file extension match was a file with an extension of .locky,  this is not an extension that should ever be whitelisted and used for example only.
  7. If the file extension is a legitimate  file type used in your environment you will need to add this file to the allowed extensions list.
    1. Release 2.5.7 >  Flag the event as false positive will place the file extension into the File Filters list that will set the extension to disabled status.
    2. Release < 2.5.7 igls rsw allowedfiles add --extensions=’*.ext1’    (note .ext1 is the extension found in the Action history, change the file extension to match your detected file type)
  8. See the next section to view the files on the allowed list.

How to View Allowed files Types (< 2.5.7)

  1. Click on the Settings Allowed extensions tab
  2. This will show any CLI enabled whitelisted file extensions or flag as false positive.
    1. A well-known list of Ransomware extensions is managed by Ransomware Defender and this list can sometimes conflict with files used within your environment.  CLI commands place files on the allow list and this can be viewed in the GUI.
  3.  

How to view files on the Allowed Extensions list (< 2.5.7)

This tab shows files that have been removed from the banned files master list, using the CLI commands to remove files from the master banned list or the flag as false positive option (release 2.5.7 or later).  This interface also allows files on the allow list to be removed by deleting the entry in the table.

  1. Open Ransomware Defender, Settings,  Allowed Extensions
  2. View the extensions that are on the allowed list, these files will not trip a detector if processed for users.  These extensions are on the well-known master list of banned extensions.  This allows an override to customize these extensions in your environment.
  3. The delete button will remove the extension from the list and will be processed as a banned file once deleted.  This change will take effect immediately for any new events processed.
  4.     


How to Ignore a File Extension using the Ignore whitelist  (< 2.5.7)

This option allows using a new whitelist option to remove a file type from processing anywhere in the file system.

  1. Open Ransomware Defender Icon, click on the Ignored List tab under settings.
  2. A Path-based entry will be used.  Click the plus sign, and select a cluster from the list. 
  3. Enter a path using the information below, and click submit to save once done.
  4. Enter a whitelist  of file type with extension .tmp /ifs/**/*.tmp 
    1. This will whitelist any .tmp anywhere in the file system. 


How to add Custom File extensions (2.5.7 or greater)

  1. Open Ransomware Defender icon settings-->File Filters tab
  2. Click the add filter button to enter a custom file extension. Enter the extension with *.xxx and set the mode to enabled (lockout), Disabled (no detection or lockout) or Monitor mode (detect, snapshot, no lockout).  Click Add.
  3.   


How to Manage Banned File Extensions with Enforcement Modes (2.5.7 >)

  1. New in 2.5.7 the ability to search the banned file list and and set the mode on each extension to enabled, disabled or monitor mode.
  2. Modes: enabled (lockout), Disabled (no detection or lockout) or Monitor mode (detect, snapshot, no lockout)
  3. Filter based on builtin , custom extensions or both.
  4. Filter file extensions by state using the filter box or filter based on builtin extensions or custom extensions.
    1.   
    2.   
  5. Search for the extensions by typing letters for the extension,  set the mode  and then click the save button. NOTE: Changes will take effect immediately.
  6.   
  7. Search for an extension example locky to easily find an extension
  8.  


© Superna LLC