https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431781#M3120 <HTML><HEAD></HEAD><BODY><P>Hi Takahiro,</P><P></P><P>Apologies for the delay to respond. You can enroll in the Beta program using your AMP for Endpoints console by navigating to Management &gt; Beta &gt; Enroll. </P></BODY></HTML> Wed, 28 Feb 2018 07:47:38 GMT emirolyu 2018-02-28T07:47:38Z https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431776#M3115 <HTML><HEAD></HEAD><BODY><P>AMP for endpoint seems to be not able to block the wannacry which is encrypted with packer tool.</P><P>Are there any workaround?</P><P></P><P>Repro-steps:</P><P></P><P>1. get a wannacry from ThreatGrid or any other service</P><P><IMG alt="1.png" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/115452_1.png" style="height: 285px; width: 620px;" /></P><P></P><P>2. encrypt it with packer tool such as upx</P><P><IMG alt="2.png" class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/115453_2.png" style="height: 139px; width: 620px;" /></P><P></P><P>3. open AMP console and enable TETRA feature.</P><P><IMG alt="3.png" class="jive-image image-3" src="https://community.cisco.com/legacyfs/online/fusion/115454_3.png" style="height: 429px; width: 620px;" /></P><P></P><P>4. Install the Connector.</P><P></P><P>5. Scan the wannacry with AMP for endpoint. It is judged as no problem.</P><P></P><P>6. Run the wannacry. It works. Some programs such as WannaDecrypter are blocked. But encryption of user data complete.</P><P><IMG alt="4.png" class="jive-image image-4" src="https://community.cisco.com/legacyfs/online/fusion/115455_4.png" style="height: 349px; width: 620px;" /></P></BODY></HTML> Fri, 21 Feb 2020 05:05:28 GMT https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431776#M3115 Tsunoda 2020-02-21T05:05:28Z https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431777#M3116 <HTML><HEAD></HEAD><BODY><P>Hello Takahiro Tsunoda,</P><P>Thank you for your screenshots and the repro-steps.</P><P>What version of the AMP for Endpoints connector are you running in this testing?</P></BODY></HTML> Sat, 24 Feb 2018 19:49:55 GMT https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431777#M3116 emirolyu 2018-02-24T19:49:55Z https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431778#M3117 <HTML><HEAD></HEAD><BODY><P>Hi Evgeny,</P><P></P><P>Thank you for your reply.</P><P>The version of connector I tested is 6.0.7.10670.</P><P></P><P>Best regards,</P><P>Takahiro</P></BODY></HTML> Mon, 26 Feb 2018 03:30:23 GMT https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431778#M3117 Tsunoda 2018-02-26T03:30:23Z https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431779#M3118 <HTML><HEAD></HEAD><BODY><P>Hi Takahiro,</P><P></P><P>Thank you for sharing further details of your testing. Did you see a Cloud IOC fire in the AMP Console? I would expect that to happen as the minimum and in a realistic scenario, the infection could be prevented by one of the "new" engines, that are a part of this connector version. For real-time ransomware blocking, there's going to be a beta of one more component available soon, that is highly effective at addressing the problem of ransomware generically (file encryption behavior observed, initiating process blocked; with an ability to exclude benign processes). A notification about the Beta will be posted to the AMP Console and you would receive an email notification if that's enabled on your console.</P></BODY></HTML> Mon, 26 Feb 2018 14:00:22 GMT https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431779#M3118 emirolyu 2018-02-26T14:00:22Z https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431780#M3119 <HTML><HEAD></HEAD><BODY><P>Hi Evgeny,</P><P>I checked the trajectry. IOC have been fired. But wannacry main file was not quarantined.</P><P>I was not able to find the information about beta. How can I use it?</P><P><IMG __jive_id="115497" alt="trajectry.png" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/115497_trajectry.png" style="height: 293px; width: 620px;" /></P></BODY></HTML> Mon, 26 Feb 2018 16:43:21 GMT https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431780#M3119 Tsunoda 2018-02-26T16:43:21Z https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431781#M3120 <HTML><HEAD></HEAD><BODY><P>Hi Takahiro,</P><P></P><P>Apologies for the delay to respond. You can enroll in the Beta program using your AMP for Endpoints console by navigating to Management &gt; Beta &gt; Enroll. </P></BODY></HTML> Wed, 28 Feb 2018 07:47:38 GMT https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431781#M3120 emirolyu 2018-02-28T07:47:38Z https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431782#M3121 <HTML><HEAD></HEAD><BODY><P>Thank you for your answer. My question was cleared. <IMG src="https://community.cisco.com/legacyfs/online/emoticons/happy.png" /></P></BODY></HTML> Thu, 01 Mar 2018 10:54:55 GMT https://community.cisco.com/t5/endpoint-security/amp-for-endpoint-can-t-block-the-packered-wannacry/m-p/3431782#M3121 Tsunoda 2018-03-01T10:54:55Z