GFI Forums: Kerio Control Feedback » Ransomware protection

Home » Product Feedback » Kerio Control Feedback » Ransomware protection (Block out of the ordinary uploads)

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Ransomware protection [message #153737]

Mon, 06 February 2023 18:51

tverweij
Messages: 86
Registered: March 2010
Location: Curacao

In most cases, before a system is encrypted, the data of the machine is uploaded to be held hostage.
When we can detect these uploads with Kerio, we can block these uploads.

To do this, Kerio should monitor the normal traffic that is initiated from a host to all specific IP addresses.
It can then calculate the medians uploaded per hour per IP address (only initiated from the machione itself).
A whitelist should be available to exclude specific addresses from this detection.

If a host connects itself to a new IP address it did not previously connect to (and that IP is not whitelisted), and the median upload per hour is exceeded - a warning should be issued and / or the upload stream should be blocked (as specified in the rules), to prevent the data from being stolen.

Report message to a moderator