Forum Discussion
MDATP doesn't constantly detect a ransomware-type mass encryption
Hello,
As a part of security tastings, to see the efficacy level of MDATP, we are running a PowerShell script (encrypt_ransomware.ps1) found in the GitHub GitHub - leomatias/Ransomware-Simulator that encrypts a bulk number of files and behaves like ransomware.
The workstations used are Windows 10 Enterprise enrolled in Intune with similar policies & settings. The user accounts used to execute the scripts are administrators, but we only run the scripts as standard PowerShell sessions (meaning not 'run as administrator'). We rely on MDATP protection to detect this event and we confirm the alert after seeing it on security center, but the alerts/detections on the MDATP security center are not consistent. Once it gets detected as a "ransomware behaviour by MDATP " and an alert is generated on some of the test machines.. Doing the same test on another machine has a different result; no alert is raised in the MDATP console. But this is not consistent with each device we run the script.
There is no real difference in configuration between the machines as all policies and settings are pushed to all devices/all users. The tests are identical, the same encryption script, the same amount of files, same total size
I appreciate any advices or suggestions on how to troubleshoot this and to find what's generating the different detection behavior. Why is the massive file change not detected consistently across machines?
I'll continue to see if it stays the same with a standard user (no admin rights by default).
- Joe StockerBronze Contributor
Based on my testing using that same ransomware simulator, we were able to get it to stop and not even launch when we enabled the "Block at First Site" and the ASR Rules.
Check out my results that i posted here:
Give it a try by following some of these MDATP tips here: https://www.thecloudtechnologist.com/mdatp-best-practices/
- Sri_12Copper Contributor
Joe Stocker We have the rule enabled already from endpoint security > Antivirus > Cloud protection > cloud-delivered protection level =high.
From my side, I think we found a cause. The mdatp seems to detect any ransomware attack by looking at the file extension ".crypted" if not, it doesn't raise the alert in mdatp security center.