cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3029
Views
0
Helpful
0
Replies
Cisco Employee

ESA Protection Against Petya Ransomware

Please note that there has been a new Talos blog posted regarding today's outbreak of the Petya Ransomware, which can be found here : http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html.
While email is still being investigated as a possible attack vector, we can confirm that the Email Security Appliance (ESA) does in fact positively detect this threat using either McAfee/Sophos Anti-Virus and/or Advanced Malware Protection (AMP).

NOTE: Even though the Anti-Virus and/or AMP services might be detecting the Petya Ransomware, you'll also need to make sure your services and mail policies are setup to take the necessary action (Drop/Quarantine/ETC) for any Malicious/Viral verdicts. 

For further confirmation to see if you're currently protected on the ESA, you can review the appliance and look for the following Anti-Virus engine/rule updates via the CLI and/or GUI. For AMP, no specific updates will be needed since the SHAs are updated from within our AMP cloud database. 
From the CLI this can be checked using the respective antivirusstatus sophos detail and antivirusstatus mcafee detail commands. From the GUI, you can review the current updates under Security Services -->  Anti-Virus.
###
For Sophos - Look for the below mentioned IDEs

test.example> antivirusstatus sophos detail 

Sophos Anti-Virus:

Product - 5.40
Engine - 3.66.3
Product Date - 30 May 2017

Sophos IDEs currently on the system:

'Petya-Bi.Ide'   Virus Sig. - 27 Jun 2017 20:07:34
'Petya-Bh.Ide'
Virus Sig. - 27 Jun 2017 19:31:11
'Rans-Eob.Ide' Virus Sig. - 27 Jun 2017 17:57:54

If checking via GUI, for the Sophos IDE Rules, you'll want to make sure the version shown is 2017062706 or newer.

###

For McAfee - Look for the Engine version of 5800 and DATs version of 8573
test.example> antivirusstatus mcafee detail

Component Version Last Updated
McAfee Engine 5800 18 May 2017 17:11 (GMT +00:00)
McAfee DATs 8573 27 Jun 2017 14:22 (GMT +00:00)

###

NOTE: If your McAfee engine is only showing as 5700, please be sure you've upgraded to the proper supported ASyncOS version for the 5800 engine. More info on the compatible builds can be found here : http://www.cisco.com/c/en/us/support/docs/field-notices/642/fn64277.html. While McAfee DAT 8573 will still assist with finding the Petya Ransomware, any engine previous to 5800 in conjunction with DAT 8573 will result in decreased efficacy. 

If you have any further questions then please do not hesitate to contact us

Thanks!

-Dennis M.

Everyone's tags (3)