none
Device Guard and Ransomware RRS feed

  • Question

  • I have been experimenting with Device Guard and specifically with the Code Integrity feature. So far the results have been quite good. We have a product that would be a good fit for the Code Integrity feature and are looking at some type of a whitelisting solution for a future release. One question that we get from customers is what are we doing about Ransomware. My question is has anyone done any Ransomware testing with Code Integrity turned on? Or more simply, does Device Guard Code Integrity protect from ransomware? Testing this is very difficult (or at the least risky) so if anyone has any test results or anectdotal evidence I would be very interested. Thanks


    Roger

    Wednesday, April 27, 2016 4:42 PM

Answers

  • Roger,

    Yes, I agree with your understanding, RansomWare/Cryptolocker is aimed at enterprise data, they encrypt data which in the victim’s computer or NAS server, victim have to pay for decryption program.

    As I mentioned in my last reply, we don’t have condition to test RansomWare, also, we are collecting resource to check whether our product can block attack from RansomWare, if we get some data, we are happy to share with you.

    Thanks for understanding.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, May 3, 2016 1:15 AM
    Moderator

All replies

  • Hi Roger,

    With the limited condition, I’m afraid that I can’t do a test to verify what’s level of ransomware can be prevented by Device Guard Code.

    But one thing we should understand, even if a software nasty manages to get into the Windows operating system, it shouldn't be able to crack this final layer of protection.

    In Windows 10, these same successful UMCI standards are available. Historically, most malware has been unsigned. By simply deploying code integrity policies, organizations will immediately protect themselves against unsigned malware, which is estimated to be responsible for more than 95 percent of current attacks.

    For more information, please refer to this official documentation:

    Device Guard overview

    https://technet.microsoft.com/en-us/itpro/windows/whats-new/device-guard-overview?f=255&MSPPError=-2147217396

    Finally, if we receive a good case which shows Device Guard protect ransomware from damaging system, we will share it with you.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, April 28, 2016 6:48 AM
    Moderator
  • Thanks for the reply and I understand that the inner layer is protected which is good for protecting against Root Kits but for RansomWare, they don't touch the OS (at that is my understanding). They attack the data. Presumably if they did this with unsigned code, it would be blocked but that is what I would like to see an test of. If it does block it, it could be a big plus for Device Guard. I don't know enough about Ransomware to be able to know all the attack vectors but if you ever hear of anything that you can share it would be quite interesting.

    Roger

    Thursday, April 28, 2016 2:40 PM
  • Roger,

    Yes, I agree with your understanding, RansomWare/Cryptolocker is aimed at enterprise data, they encrypt data which in the victim’s computer or NAS server, victim have to pay for decryption program.

    As I mentioned in my last reply, we don’t have condition to test RansomWare, also, we are collecting resource to check whether our product can block attack from RansomWare, if we get some data, we are happy to share with you.

    Thanks for understanding.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, May 3, 2016 1:15 AM
    Moderator