Administration Guides

Well Known Ransomware File Extension Whitelist

Home


Superna Defender Community Sourced File Extension List

This new crowd-sourced extension list is based on Defender deployments around the world. As custom extensions are added to local deployments, the phone home system collects these extensions and merges them into a list that is curated by Superna and published as a version of the master list. The normal versioned list explained below will function with new extensions appearing on the list from the crowdsourcing system. You can view the new extensions added using the difference command, see the steps below. By adding custom extensions to your Defender installation and enabling phone home if not already enabled, the custom extensions will be published to Superna to review as candidates for the master list.

Prerequisites 

  1. The eyeglass VM will need firewall rules to allow access to this url https://storage.googleapis.com/rwdefender.superna.net/ 

Steps to check settings

 To check your settings, run the command:  igls rsw filefiltersettings 

  • If the “mode” = “Latest”, it means the auto-update is enabled - Ransomware Defender will always use the latest version available online.

  • If the “mode” = “Fixed”, it means a static version of the list is used and the user can choose the version to switch to.

Running this command will also display the list of available versions.  



Steps to update the list

-> Customers who do not have auto-update enabled (“mode” = “Fixed”) 

  1. Review the list of new extensions to ensure they align with the organization's needs, as adding them may trigger new alerts and result in user lockouts. Use the following command:

    • igls rsw filefiltersettings --diff=<version1,version2>   NOTE: version2 should be the latest published version e.g. 20240123

    • The output will show added and removed extensions moving from version1 to version2 listed in the command. 

  2. Switch Eyeglass to the new version of the list and edit the list according to your organization's needs. Use command:

    • igls rsw filefiltersettings set --mode=Fixed --version=<version> 

Once updated, the file extensions will appear in the File Filter tab in the Ransomware Defender interface. Customers can then manage the list. The extensions added manually by the customer will not be affected.

-> Customers who have auto-update enabled (“mode” = “Latest”) 

  1. When auto-update is enabled, the new version will replace the previous one

  2. Please review the list of new extensions to ensure they align with the organization's needs, as adding them may trigger new alerts and result in user lockouts. Use the following command:

    • igls rsw filefiltersettings --diff=<version1,version2> NOTE: version2 should be the latest published version e.g. 20240123

    • The output will show added and removed extensions moving from version1 to version2 listed in the command. 

  3. Once updated, the file extensions will appear in the File Filter tab in the Ransomware Defender interface. Customers can then manage the list. The extensions added manually by the customer will not be affected. 

->  Other options

Customers can also enable the auto-update option. Eyeglass Ransomware Defender will check for new versions and automatically switch to the new version. Use the command:

  • igls rsw filefiltersettings set --mode=Latest 

If customers prefer to roll back to the older version of the list, they can do so using the command:

  • igls rsw filefiltersettings --version=<version>



Well-known Ransomware File Extension List 2.5.8 >

New in 2.5.8 or later releases is the versioned Banned list. This new feature allows switching between the current banned list and newly published file lists or selecting the latest option to always use the latest list. If the new list adds extensions that are in use in your environment a lockout could occur. This new feature allows controlled switching to a new file and the ability to see what new extensions have been added to the list in the new file.  

Information NOTE:  This feature does not support OS Proxy with YAST.

Versioned Banned files List

This feature allows a version of the banned file list to be selected, auto-selected, and differenced to allow migration from one version to another using the controlled commands below.  The files will appear in the File Filter tab in the Ransomware Defender GUI.

  1. Requirements
    1. Requires 2.5.8 
  2. This section will provide a list of versioned files with a link to a file containing all the new extensions added to the version of the file.
  3. File Versions commands
    1. igls rsw filefiltersettings   (list current version and settings)
    2. igls rsw filefiltersettings --version=<version>  (select a version to be active)
    3. igls rsw filefiltersettings --diff=<version1,version2>  (show the changes between one version and another to know what new file extensions have been added)
    4. igls rsw filefiltersettings set --mode=Latest (always pickup and use the latest version available online)
    5. igls rsw filefiltersettings set --mode=Fixed --version=<version>  (select a fixed version as a static version of the banned list to use)

    © Superna Inc