The default McAfee SaaS Email Protection configuration provides excellent protection against malware, but threats evolve and you may have changed the default settings, so it is a good idea to periodically audit your configuration for compliance with best practices.
The recommendations in this article are particularly important right now because we are seeing several new variants of Cryptolocker and other ransomware-type-malware per day. Therefore, a strong attachment policy that generically blocks dangerous file formats is critical to avoiding infection.
- Carefully evaluate these recommendations before making changes to your network or the McAfee SaaS Email Protection service.
- Always follow internal change control processes prior to making any changes.
- Not all recommendations will be appropriate for all organizations.
MCAFEE SAAS EMAIL PROTECTION RECOMMENDATIONS
- Take all available online training to ensure familiarity with the full functionality and capabilities of the service.
- Audit policy level sender allow lists to verify that the organization’s own domains or domains associated with large service providers (like *@gmail.com) do not appear on the list
- Verify that your firewall is locked down so that only the IPs used by the service are able to connect to your externally-facing email infrastructure on port 25. For a list of latest IP addresses used by the service, log onto the Control Console using an administrator account and navigate to Email Protection > Setup > MX Records > Lock Down.
- Implement processes whereby all legitimate dangerous attachments are routed through specially trained IT staff for evaluation before being sent to end users.
The settings discussed in this section can be found in the Control Console by navigating to Email Protection > Policies > [Edit a policy] > Attachments
- Under the File Types tab: Ensure that “Executable” and “Scripts” are set to “Disallow” and an action of “Quarantine.” Only IT staff with specialized training should be permitted to handle these formats because they are commonly used to distribute malware.
- Under the Filename Policies tab: Create rules to quarantine messages containing attachments ending in “.cab”, “.tar”, and “.7z” – or any other compressed format where users have no clearly-defined need. The more of these compressed formats you can afford to block without disrupting your business, the less likely you will get an infection. Cryptolocker is routinely hidden inside of compressed archives.
- Under the Additional Policies tab:
- Be sure “File in zip attachment violates attachment policy” is set to “Attachment Policy Action.” With this setting, file type and filename policies will be applied to the contents of zip archives up to two layers deep (a file in a zip nested in another zip). Nested zips are frequently used to hide and distribute malware.
- Be sure "Message contains a high risk zip attachment" is set to "Quarantine." This setting blocks any zip with more than two layers of nesting (see online help for more benefits of this setting).
- Be sure “Message contains an encrypted zip attachment” is set to “Quarantine.” This setting blocks any zip file that cannot be opened and inspected. Malware is commonly distributed in this manner.
- Effective May 2015, senders on the allow list no longer bypass attachment policy by default. This measure reduces the chance that a trusted 3rd party could send you malware. The default can be overridden on a per sender basis, but exceptions should only be made for policies belonging to specially trained IT staff.
- Educate users to consider all attachments as potential threats regardless of the source, and to verify through other means the legitimacy of the attachment (phone call, instant message, or SMS).
- Many threats are now distributed via URL in the message body rather than by file attachment. To protect against this type of threat, consider enabling the ClickProtect feature. If you are not familiar with this feature, please attend our free product training or contact technical support for more information.
GENERAL RECOMMENDATIONS – IT SECURITY GLOBAL BEST PRACTICES
These recommendations apply to your organization's general security practices and are not specific to the McAfee SaaS Email Protection filtering service. This is not intended to be a complete list but it should be a useful conversation starter for organizations wishing to reduce their exposure.
- Ensure endpoint AV applications are set to automatically update.
- Consider restricting use of USB devices, including disabling Windows’ Autoplay feature, which can be exploited to automatically execute malware once a new device is inserted into the PC.
- Perform regularly scheduled backups storage media such as backup
- Maintain a clean system image for quick system recovery in the event of an infection.
- Ensure Windows environments are configured to create the appropriate restore points automatically.
- Ensure all operating systems, and applications such as web browsers, browser plug-ins, run-time environments, and document readers are configured to automatically download and install security patches and updates from the source vendor in a timely manner.
- Retain the services of a reputable information security resources to help perform regular security audits.
- Enforce a secure passwords policy. focusing on minimum length and complexity requirements
- Require regular password changes at least 4 times a year.
- Enforce account lockout for failed login attempts.
- Avoid exposing Microsoft Exchange Server Outlook Web Access (OWA) openly to the internet outside of a VPN.
- Do not enabling Authenticated Relay on your SMTP Server
- Restrict user access to non-company secured email accounts.
- Use a strong web filtering proxy such as McAfee SaaS Web Protection to protect users from web-based threats.
IF YOU ARE INFECTED WITH CRYPTOLOCKER
In the event of a Cryptolocker infection, follow these recommendations:
- Above all, follow all of your organization’s established policies for handling a security incursion, and abide by industry standards for computer forensic investigation.
- DO NOT PAY – There is no assurance paying the requested ransom will result in the ability to retrieve your data. It will, however, fund and encourage such attacks in the future, and could potentially subject you to additional exposure, including identity theft. Furthermore, once cybercriminals see your organization as a willing payout, the odds that you will be the target of additional attacks may increase.
- Promptly remove the infected computer from the network. If the virus has spread to network stores, disable or isolate those network stores immediately.
- Begin removing the virus using reputable software, including your McAfee Anti-Virus. You may also contact the McAfee Virus Removal Service if you do not have an onsite support team.
- In some cases, a complete format-and-reimage may be needed to ensure protection.
- Do not restore backups from external drives or services until they can be scanned for malware. Keep onsite and off site backups of all data and server configurations, including utilizing cloud backup providers if appropriate.
- Once a file is encrypted by Cryptolocker, it cannot be retrieved using methods available to the public. The virus uses high level asymmetric encryption and the decryption key is not stored anywhere on the victim’s computer, cannot be obtained by current cryptographic methods, and likely cannot be brute-forced.