Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3166
Views
3
Helpful
6
Replies

AMP for endpoint can't block the packered WannaCry.

Go to solution
Tsunoda
Level 1
Level 1

‎02-23-2018 04:13 AM - edited ‎02-20-2020 09:05 PM

AMP for endpoint seems to be not able to block the wannacry which is encrypted with packer tool.

Are there any workaround?

Repro-steps:

1. get a wannacry from ThreatGrid or any other service

1.png

2. encrypt it with packer tool such as upx

2.png

3. open AMP console and enable TETRA feature.

3.png

4. Install the Connector.

5. Scan the wannacry with AMP for endpoint. It is judged as no problem.

6. Run the wannacry. It works. Some programs such as WannaDecrypter are blocked. But encryption of user data complete.

4.png

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
emirolyu
Cisco Employee
Cisco Employee
In response to Tsunoda

‎02-26-2018 06:00 AM

Hi Takahiro,

Thank you for sharing further details of your testing. Did you see a Cloud IOC fire in the AMP Console? I would expect that to happen as the minimum and in a realistic scenario, the infection could be prevented by one of the "new" engines, that are a part of this connector version. For real-time ransomware blocking, there's going to be a beta of one more component available soon, that is highly effective at addressing the problem of ransomware generically (file encryption behavior observed, initiating process blocked; with an ability to exclude benign processes). A notification about the Beta will be posted to the AMP Console and you would receive an email notification if that's enabled on your console.

View solution in original post

6 Replies 6

Go to solution
emirolyu
Cisco Employee
Cisco Employee

‎02-24-2018 11:49 AM

Hello Takahiro Tsunoda,

Thank you for your screenshots and the repro-steps.

What version of the AMP for Endpoints connector are you running in this testing?

0 Helpful

Go to solution
Tsunoda
Level 1
Level 1
In response to emirolyu

‎02-25-2018 07:30 PM

Hi Evgeny,

Thank you for your reply.

The version of connector I tested is 6.0.7.10670.

Best regards,

Takahiro

0 Helpful

Go to solution
emirolyu
Cisco Employee
Cisco Employee
In response to Tsunoda

‎02-26-2018 06:00 AM

Hi Takahiro,

Thank you for sharing further details of your testing. Did you see a Cloud IOC fire in the AMP Console? I would expect that to happen as the minimum and in a realistic scenario, the infection could be prevented by one of the "new" engines, that are a part of this connector version. For real-time ransomware blocking, there's going to be a beta of one more component available soon, that is highly effective at addressing the problem of ransomware generically (file encryption behavior observed, initiating process blocked; with an ability to exclude benign processes). A notification about the Beta will be posted to the AMP Console and you would receive an email notification if that's enabled on your console.

Go to solution
Tsunoda
Level 1
Level 1
In response to emirolyu

‎02-26-2018 08:43 AM

Hi Evgeny,

I checked the trajectry. IOC have been fired. But wannacry main file was not quarantined.

I was not able to find the information about beta. How can I use it?

trajectry.png

0 Helpful

Go to solution
emirolyu
Cisco Employee
Cisco Employee
In response to Tsunoda

‎02-27-2018 11:47 PM

Hi Takahiro,

Apologies for the delay to respond. You can enroll in the Beta program using your AMP for Endpoints console by navigating to Management > Beta > Enroll.

0 Helpful

Go to solution
Tsunoda
Level 1
Level 1
In response to emirolyu

‎03-01-2018 02:54 AM

Thank you for your answer. My question was cleared.

0 Helpful
Customers Also Viewed These Support Documents