Thread Info
  • Locked Locked
  • Replies 22 replies
  • Subscribers 8 subscribers
  • Views 89899 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM Advanced Threat Protection blocks kill switch URL for WannaCry (also referenced as WCry, WannaCrypt, and WanaCrypt0r)

Jas Man

Hi,

I think most of you heard about the new Crypto Trojan "WannaCry". I read that a malware specialist found out, that the Trojan tries to contact an URL and as soon it get's an answer, it stops his spreading (https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-outbreak-temporarily-stopped-by-accidental-hero-/). So he registered the URL iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

I tried to call this URL but it's blocked by ATP and identified as C2/Generic-A C&C (https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx). This is not good in case one of your clients is infected by the trojan. The blocking of this URL will prevent the deactivation of the spreading.

Or is there something that I didn't see? Otherwise Sophos should allow this URL in my opinion.

Thank you.

Jas Man



This thread was automatically locked due to age.
  • in reply to Jas Man

    There are three elements of proxy strategy:   (1) organizational policy (Management does not want employees going to gaming, pornography, or software piracy sites).   (2) Malware protection, and (3) Business and Technical necessity.    User identification seems only necessary for item 1.

    Necessity:  Most computers require some internet access for basic technical functions like software updates or web-based resources such as online help.   Many modern applications require internet access to perform some of their functions.   Most staff require internet access for some aspect of their job.   These are the best reasons for a default policy that allows some access.

    Policy:   User identification is important for policy enforcement based on job requirements, and for user accountability if appropriate use policy is violated.   Standard mode proxy seems to be the only method that provides sufficient accountability for employee discipline purposes.

    Security:   These protections are uniform for all employees.  Accountability is useful but not required, because blocking threats is more important than knowing whom to blame.

    Then the practical issue is knowing everything that will be required by your organization.   Incremental rollout seems to be the only practical way to learn that information.   Standard proxy can be deployed incrementally using group policy, and transparent mode proxy can protect the other essential connections while you learn what else needs standard proxy configured manually.

  • in reply to DouglasFoster

    Great explanation, Doug.  Those are the main reasons I use a more-restrictive Default Profile in Transparent mode along with a Web Filtering Profile in Standard mode.  If anyone wants to do anything for which there is a company policy, they have to use the Standard mode Profile.

    I developed this approach before it was possible to do AD-SSO with a Transparent mode Profile, so I haven't thought about using that until now.  If a client didn't want to use an explicit proxy (Standard), I think I could achieve practically the same thing in Transparent mode by allowing un-authenticated access and then using Policies with more-open Filter Actions for identified browsers and a more locked-down one for unidentified browsers.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML