Ransomware Protection

Ransomware Protection allows detection of processes that attempt to encrypt user files using known algorithm that defines processes as a security threat. Ransomware is one of these processes. When entering a computer such malicious programs block access to user data and then demand ransom for decryption. They are considered among the most common malicious programs and cause great annual losses both to companies and ordinary users. The most common way of getting infected are bulk emails containing malicious files or a link to malware.

According to Doctor Web statistics, probability of restoring files compromised by encryption ransomware is only 10%, that is why the most efficient way of fighting it is to prevent the infection. Recently the number of users that have suffered such infection has decreased. However, the number of Dr.Web technical support requests for decryption reaches 1000 every month.

To enable or disable Ransomware Protection

1.Open Dr.Web menu Dr.Web icon, then select Security Center.

2.In the open window, click Preventive Protection tile.

3.Enable or disable Ransomware Protection by using the switcher .

Note

Depending on settings of your provider, the switcher can enable or disable all the components of Preventive Protection at the same time.

 

Figure 56. Enabling/Disabling Ransomware Protection

In this section:

Configuring reaction to application attempts to encrypt files

Scan exclusions

Dr.Web reaction to application attempts to encrypt a file

To configure Ransomware Protection parameters

1.Make sure Dr.Web operates in administrator mode (the lock at the bottom of the program window is open ). Otherwise, click the lock .

2.Click the Ransomware Protection tile. A component parameter window opens.

3.In the drop-down menu, select an action to be applied to all applications.

Note

The component parameters can be adjusted if the provider enables this option.

 

Figure 57. Selecting Dr.Web reaction

Allow—all the applications are allowed to modify user files.

Block—all the applications are not allowed to encrypt user files. This mode is enabled by default. When an application attempts to encrypt the user files following notification will be shown:

Figure 58. Notification example with a blocked application attempt to modify user files

Ask—when an application attempts to encrypt a user file, a notification appears, where you can prevent the encryption or ignore it:

Figure 59. Notification example with an application attempt to modify user's files

When clicking Fix button the process is blocked and moved to quarantine. Even if the application is restored from the quarantine it cannot be launched until the computer restart.

If you close the notification window, the application will not be neutralized.

Note

Depending on settings of your provider, the Allow mode can be also available. In such a mode, all the applications are allowed to modify user files.

Receiving notifications

If necessary, you can configure desktop and email notifications on Ransomware Protection actions.

See also:

Notifications

List of applications, excluded from the scanning

Note

Depending on settings of your provider, you may have an option to configure Ransomware Protection reaction on actions of certain applications. For this, add applications to the list and select a necessary reaction of the component.

You can create a list of applications, excluded from Ransomware Protection scanning. The following management elements are available to work with objects in the list:

The Add button—add the application to the exclusion list.

The Delete button—delete the application from the exclusion list.

Figure 60. Excluding from Ransomware protection scanning

To add an application to the list

1.Click Add and select a necessary application in the open window.

2.Click OK.

To protect your data from unauthorized changes, you can also add files to the list of protected files.