Configuring threat protection

The security rules that Stormshield provides include audit or protection rules that you can configure to protect your network from major attack classes that threaten workstations.

For more information on the attacks that SES Evolution thwarts, refer to the section Protection against various threats.

All threat protection rules are disabled by default. If there are several protection rule sets in your security policy, ensure that you enable the policy only for the set(s) in which you want to configure threat protection, and arrange your rule sets in the right order in the policy. If you configure threat protection in a rule set near the top of the policy, this rule may overload and cancel the effect of the threat protection configuration in the rule sets that follow.

  • For Driver loading and Driver integrity audit rules, you must create a driver ID beforehand for every legitimate driver to ignore.
    For more information, refer to the section Creating driver identifiers.
  • For all other protection types, application identifiers must be created beforehand for every application to be protected and for every approved application to be excluded from the protection rules.
    For more information, refer to the section Creating application identifiers.
  1. Select Policies and click on your policy.
  2. Select the protection or audit rule set to which you want to add your rule.
    The main page of the rule set appears.
  3. Click on the Threats tab.
  4. If you are in read-only mode, click on Edit in the upper banner.
  5. Enable the desired rule by clicking on on the left.
  6. In the Status field in Default behavior, there are three or four statuses for each protection mode. Select:
    • Allow: SES Evolution does not block malicious actions and does not generate any logs.
    • Detect only: As in audit mode, SES Evolution detects malicious actions without blocking them, and generates logs for the administrator. But unlike audit mode, this option stops evaluating the rules that follow, and ignores them.
    • Block: SES Evolution blocks malicious actions and generates logs for the administrator.
    • Block and kill: SES Evolution blocks malicious actions and shuts down the process that launched the action.
      For audit rules, the available actions are always Allow, which does not do anything, and Audit, which generates a log and evaluates the next rule.
  7. Click on + Add a specific behavior to add the IDs of the applications for which the protection must behave differently. In process hollowing for example, you can enable the protection by default, and disable it specifically for your internal applications, such as virtualization tools, that use this operating mode.
  1. In the upper banner in the rule, you can:
    • Indicate whether the rule must generate an incident when it is applied. For some protection types, an incident is automatically generated because in addition to logs, a context is also necessary for such attacks.Example of a process hollowing rule
    • Select the log settings that this rule will send.
    • Specify whether an action must be performed when a log is sent for this rule.

      NOTE:
      If you want logs to be managed differently by application, your rules must be spread out into different rule sets. Rule sets cannot contain several rules for the same threat.

  2. Once the first protection type is configured, repeat steps 5 to 8 to configure the other protection types.
  3. Click on Save at the top right of the window to save changes.

Advanced protection modes are available in the same panel as rules against threats described earlier. For more information, refer to the section Protection against various threats.

To enable and configure advanced protection:

  1. In the desired policy, select the protection or audit rule set to which you want to add your rule.
  2. Click on the Threats tab.
  3. If you are in read-only mode, click on Edit in the upper banner.
  4. Enable the desired rule by clicking on on the left.
  5. In the Version drop-down list, indicate the version of the protection that you wish to run - either a version in particular or Always use latest version. If you are not using the latest version available, the indicator will appear to the right of the drop-down list. It also appears on a policy's general panel when at least one enabled advanced protection mode is not using its latest version.
  6. In the Status field, there are three or four statuses for each protection mode. Select:
    • Allow: SES Evolution does not block malicious actions and does not generate any logs.
    • Detect only: As in audit mode, SES Evolution detects malicious actions without blocking them, and generates logs for the administrator. But unlike audit mode, this option stops evaluating the rules that follow, and ignores them.
    • Block: SES Evolution blocks malicious actions and generates logs for the administrator.
    • Block and kill: SES Evolution blocks malicious actions and shuts down the process that launched the action.
  7. In the upper banner in the rule, you can:
    • Select the version of the protection. All versions are kept in databases and remain available in the administration console.
    • Select the log settings that this rule will send.
    • Specify whether an action must be performed when a log is sent for this rule.
  8. Rules against WMI persistence, Malicious use of certutil, Environment discovery, Ransomware and Parent PID Spoofing each have specific parameters:
    WMI Persistence

    Compatibility list: in this section, list the consumers that represent legitimate WMI events and which the protection mode must not block.

    Protection against malicious use of certutilCompatibility list: in this section, add the IDs of applications likely to use certutil.exe for legitimate purposes and which the protection mode must not block.
    Environment discovery
    • Interval: indicate the interval in seconds (minimum five seconds) between the first command and the last command, and the interval after which discovery operations must be ignored.
    • Compatibility list: in this section, add the IDs of applications allowed to run commands similar to discovery operations and which the protection mode must not block.
    • Sensitivity: select the threshold above which the protection will be triggered.
    Ransomware
    • Compatibility list: here, add the IDs of legitimate encryption applications that the protection mode must not block, such as Stormshield Data Security.
    • Sensitivity: select the threshold above which the protection will be triggered. With a Very low level, the protection mode will be triggered if a ransomware program encrypted at least 20 files within 3 seconds. With a Low level, the threshold will be 15 files, and with the Moderate level, 10 files.

    If you enable this anti-ransomware protection mode, ensure that you also Enabling Windows shadow copies so that you can restore lost files if necessary.

    For further information on restoration, refer to Managing ransomware attacks.

    Parent PID Spoofing

    Compatibility: here, add the IDs of applications that will be allowed to spoof parent processes without being blocked by the protection mechanism.

  9. Click on Save at the top right of the window to save changes.

NOTE
If subsequently, you want to change the version of an advanced protection, a deployment is required after the change is made.