Hi Everybody
Well well ... As you can tell from the title, it happened: A user has been so keen to open a DOCM, which has dropped an EXE and then encrypted the workstation and the shared network drive.
After some investigation (on the next day, after recovering, when the questions "why", "what" and "how" have been raised), I found an entry in the SEP Risk monitor.
This entry indicates that the user indeed must have been willingly allowing the file.
In the "Risk Detection" part of the detailed event view, the following is written:
| Date found: | 2016.08.15 13:32:48 |
| Description: | "AP realtime deferred scanning" |
| Actual action: | Left alone |
| Specified primary action: | Prompt |
| Specified secondary action: | Allowed by user |
| Detection source: | Auto-Protect |
| Risk detection method: | Heuristic Detection |
| URL tracking: | On |
| Source computer: | |
| Event type: | Application allowed |
| Database insert date: | 2016.08.15 13:56:21 |
| Event end date: | 2016.08.15 13:32:48 |
| Event client date: | 2016.08.15 13:32:48 |
Permitted application reason: | Permitted by user allow |
To me, this raises various questions:
- In no policy, there is a setting to be found which would give the user a chance to "allow" an application that could possibly be harmful.
- Am I missing a configuration possibility? I definitely do NOT want the user to be able to trust or allow anything!
Basically, what happened is that the DOCM dropped the EXE and it did not get stopped.
Is there any possibility to configure SEP to prevent this behaviour? Under normal circumstances, Office documents should not drop anything executable.
The version of the SEP client is 12.1.6318.6100
Any help or input?
PS: It was ferdoxs.exe that got dropped: 02469222C9895FCBDCBE8264FADFBD8150D649A08E42EA2C476B6A33203E21C5