Administration Guides
Well Known Ransomware File Extension Whitelist

Well known Ransomware File Extension List 2.5.7 >

New in 2.5.7 or later releases is versioned Banned list.  This new feature allows switching between current banned list and new file lists that are published  or selecting latest option to always use the latest list.    If the new list adds extensions that are in use in your environment a lockout could occur.  This new feature allows controlled switching to a new file and the ability to see what new extensions have been added to the list in the new file.  

Phone home integration now moves the dynamic sync of the banned files from the ECA VM's to the Eyeglass VM and supports the same phone home URL's that have been whitelisted.  This simplifies access to the file without needing to add any new firewall or proxy rules to use this new feature.

Versioned Banned files List

This feature allows a version of the banned file list to be selected, auto selected, differenced to allow migration from one version to another using controlled commands below.  The files will appear in the File Filter tab in the Ransomware Defender GUI.

  1. Requirements
    1. Requires 2.5.7 update 1
  2. This section will provide a list of versioned files with a link to a file containing all the new extensions add to the version of the file.
  3. File Versions commands
    1. igls rsw filefiltersettings   (list current version and settings)
    2. igls rsw filefiltersettings --version=<version>  (select a version to be active)
    3. igls rsw filefiltersettings --diff=<version1,version2>  (show the changes between one version and another to know what new file extensions have been added)
    4. igls rsw filefiltersettings set --mode=Latest (always pickup and use the latest version available online)
    5. igls rsw filefiltersettings set --mode=Fixed --version=<version>  (select a fixed version as a static version of the banned list to use)

How to switch banned file url to latest, default or a newer file

  1. NOTE:  2.5.7 will default to the same file used in 2.5.6 release but stored in the new location url
  2. Login to the eyeglass vm as admin
  3. sudo -s (enter admin password)
  4. cd /opt/superna/sca/data
  5. nano system.xml
  6. locate the tag called <rsware>
  7. paste one of the following tags under the tag above
    1. default file used from 2.5.6 Release
      1. <rsw_threat_file_url></rsw_threat_file_url>​
    2. Latest Version URL will pick up the latest version.  This could introduce new extensions that trigger a lockout
      1. <rsw_threat_file_url></rsw_threat_file_url>​
    3. Versioned file allows standardizing on a specific file version to control which file is used on your appliance.
      1. <rsw_threat_file_url><YYYYMMDD>/supernaRansomwareFilters.json</rsw_threat_file_url>​
  8. Save the file with control+x and answer yes to save the file.
  9. Restart the SCA for the changes to take effect and download the new file to be cached on the appliance for processing.  This file is then automatically pushed to the ECA nodes to use the version of the file selected.
  10. systemctl restart sca
  11. Login to Ransomware Defender and search for files on the versioned file list of new extensions to verify the show up in the GUI.  If they do not show up, it means Eyeglass does not have access to reach the Internet URL.

  12. done

Well Known Ransomware File Extension List < 2.5.6

Ransomware Defender maintains a dynamic list of well known bad file extensions that are suspicious.  This list is over 1000 extensions.   It is common for some applications or enterprises to use a file extension on this list.    This feature allows whitelisting the extension in use that will trigger security detections.  NOTE:  The file listed below is deprecated as of release 2.5.6.

The whitelist is maintained with igls commands in the admin guide igls section.  The command allows adding, listing and removing extensions from the list.

NOTE: The exact extension syntax to use must match this file exactly as found in this document.  You can search this document with a browser 

Example below.  See the guide for all commands note single quotes.

igls rsw allowedfiles add --extensions=’*.ext1’

© Superna LLC