01: Stop Ransomware and other unknown zero day attacks with PolicyPak SecureRun(TM)

Quick question: Do you want to pay the bad guys and/or clean up for three weeks, or click ONE button and say goodbye to all unknown Ransomware threats. Blacklisting is impossible. There are thousands of new evil applications created per day. And Whitelisting is no cakewalk either. You have to constantly stay on top of everything you deploy and install. There’s a BETTER way, a THIRD way, using PolicyPak SecureRun. With SecureRun, you’re only letting applications run if they were “properly installed” or otherwise sanctioned by you. Check out this video, and block all unknown Malware and zero day threats.

### PolicyPak Least Privilege Manager: Stop Ransomware and other unknown zero day attacks with PolicyPak SecureRun(TM) Hi. This is Jeremy Moskowitz, and in this video we’re going to put the smack down on malware, cryptomalware, unknown threats and general garbage that your users download, put on their computers and make your life a living hell. Let’s set the stage here. Of course, there are applications that you’ve installed for users and they run just fine like “Mozilla Firefox” and “WinZip” and “Adobe Reader.” You’ve installed this stuff and, of course, you want it to run. But what about stuff that users download? By way of example, I’m just a standard user. I went to the Internet and I found this great website. I’m a standard user and I found this. It’s called “portableapps.com,” and they have all these fun apps that I can install – games and crap and I don’t know what this stuff is. I went to this website, and I downloaded this thing called “Notepad2 Portable” and I have it right here. Is it a good app or is it malware? I don’t know, but as a standard user I can just double click it and maybe that application is really evil and it’s encrypting my hard drive and all my files as we speak. If I were to really go evil, there is this thing called “Example Ransomware Simulator.” You’re welcome to find it and try it. It’s going to buzz through all of your “.docx” files and find them all and pretend to encrypt them. Again, a standard user can run this application. He downloaded it. That’s the deal. How about this video app? Is that okay? Well, actually, I happen to know it’s okay. That’s good. We’ll get to that later.How about this other application, “NotepadP”? I don’t know. Are these good apps, bad apps? I have no idea, but a standard user can download them off the Internet or bring it on from a USB stick and so on, putting your company at risk because as a standard user they can just run this stuff. Today’s the day where it ends, and here’s how we do it. What we’re going to do is to create what’s called a “New SecureRun Policy.” SecureRun is a facility of PolicyPak Least Privilege Manager, and it puts the smack down on stuff we don’t know about. If you’ve ever thought about blacklisting or whitelisting, that’s a lot of work. You have to blacklist everything you don’t want, and in whitelist land you have to whitelist everything you do want. Well, there’s actually a third option, and this is the third option. SecureRun gives you the ability to say if it wasn’t properly installed by you the admin, the “SecureRun Member,” then just don’t let it run. Now if you have a certain software facility like SCCM or something like that, you could add them as a member (“Add member”). Therefore, stuff you deploy through your third-part software deployment tool would also be a “SecureRun Member.” The guy, the end user who is downloading that crap, he is not a SecureRun member. All we have to do is one click later, and that’s it. We’ve now put the smack down on all unknown threats that are executable. Let’s run GP Update real fast right here. We’ll wait for it to end. Of course, Group Policy would apply the first time you log on or in the background. I’m just using GP Update to accelerate the hands of time. By the way, if you’re not a Group Policy shop and you want to use SCCM or something like it, you can certainly do that. We have other videos on that too. That’s it. Ten seconds ago, we saw that we could run “WinZip” because you properly installed it and you’re on that list. But what about “Example Ransomware” and “Notepad2”? Let’s go ahead and try it. You’ve blocked the application because the person is not part of that SecureRun list. What’s happening underneath the hood? Actually, let’s just prove a point. “Example Ransomware,” that’s dead. Killed “Example Ransomware.” How about “CamPlay,” this good video player? Well, that’s a problem because we actually want to run this video player. And “NotepadP”? It has blocked all unknown threats, but stuff that you said is okay, that stuff will still run. What’s happening underneath the hood? I want to explain it because I think it’s actually really awesome. What we’re doing is we’re saying – let’s take a look at “WinZip” by way of example: “Properties,” go to “Security” and look at “Advanced” and look at the “Owner.” You can see that the “Owner” here is the “SYSTEM,” and the “SYSTEM” is on thatSecureRun list so, therefore, it runs. Let’s take a look at “Notepad2 Portable,” something that user downloaded off the Internet. When they download off the Internet, who owns it then? Let’s take a look: “Security,” “Advanced” and the “Owner” is “eastsalesuser1,” the person who downloaded it. Because they’re not on the list, that application will not run. It’s as simple as that. Let’s take this one step further. Let’s see we get the memo. We’ve made it a little too secure. We want to let “CamPlay” run. That’s great. We can do that. We’ll go back to “Least Privilege Manager,” add a “New Executable Policy.” We can “Use simple rule.” We can do this by name (“Path”) or by “Hash” or by “Signature.” I’m going to do it just by name. It’s not the most secure method, but it’s good for this example. I’ll go ahead and “Add file” and I’ll say anything “*camplay.exe” is okay. We’ll go ahead and let that run. Again, you probably wouldn’t want to do it by name. You’d probably want to do it by hash or by publisher, but for the purposes of this demonstration it’s fine. Then I’m going to “Allow and log.” We don’t need to “Run with elevated privileges.” We just want to let it run. We’ll go ahead and “Allow and log.” We’ll give it a “Name:” “let Camplay run” but nothing else that we don’t know about. That’s it. We’ll go back to the endpoint here. We’ll run GP Update. We’ll go ahead and wait for this to finish. Now that it’s finished, we’ll close this out. Let’s see what happens. How about our “Ransomware”? We never said that’s good, so therefore it must be bad and therefore blocked. What about “CamPlay”? Now we said it’s good, and it runs. This give you the ability to put the smack down on all things the user downloads off the Internet unless you say you installed it or you say that it’s okay and sanctioned. That’s it. That’s the end of malware. I hope you liked this demonstration. If you’re looking to get started with PolicyPak and Least Privilege Manager, give us a buzz and we’ll get you the bits. Talk to you soon.

  • 179
  • 02-Jul-2019