KB Article | Forcepoint Support

Problem Description

On May 12, 2017, a significantly widespread malware outbreak known as the WannaCry worm was identified.  This article will highlight the key steps to help protect this threat from your Forcepoint AP-Email, Email Security Gateway, or Cloud Email Security products.


Forcepoint AP-Email or Email Security Gateway

Forcepoint has a specific virus signature in place for the WannaCry (WCry, and WannaCrypt0r 2.0) worm that came to light starting May 12, 2017.  For your Forcepoint AP-Email on premises system to be fully protected it is critical that you have the most recent databases downloaded.

Look to see if the databases are current:
  1. Log on to TRITON Manager and click Email.
  2. On the Settings menu, click General, and then click Database Downloads.
  3. Check the Cyren or Authentium databases and ensure the databases are showing up to date under Latest Definition and Last Update Status. All of the other databases should be showing up to date, however some will have older dates.
User-added image

Note Upgrading AP-Email to version 8.2 and apply HF2 or later includes the additional protection of the "Yara" scanning engine. Details of upgrading your version of AP-Email (and ESG) can be found on the Upgrade Centers page.

Make sure the URL Analysis rule is enabled and on all policies:
  1. On the Main menu, click Policy Management, click an Inbound Policy, under the Rules menu click on URL Analysis, and then under the Action menu click the Edit button.
  2. Check that the Action taken when a message triggers a filter is set to Drop Message.
  3. You can also prevent Personal Email Message (PEM) users from releasing URL filtered emails by setting the Personal Email Manager end-user portal options to Do not display or Message log only.
URL Rules in policy
URL actions

Hide the actual URL from end-users:
  1. On the Main menu, click Policy Management, click an Inbound Policy, under the Rules menu click on URL Analysis, and then under the Filter menu click the Edit button.
  2. Under the Filter Properties menu, select the box next to Replace matching URLS with: and then enter in a URL that would re-direct to a webpage explaining why the website is at risk.
URL filter options

Cloud Email Security 
In the Cloud Email Security (CES) product, the databases are constantly updated. However, additional protection can be gained by opening each policy in your cloud email account and clicking the AntiVirus tab, then selecting Quarantine all messages containing encrypted archive files and Quarantine all encrypted messages.

If you are using the CES product and you have the URL Sandboxing add-on license, you can gain additional protection by turning on URL Sandboxing. Open each policy in your cloud account and click the URL Sandboxing tab.  Make sure Analyze suspicious URLs is selected, and for maximum protection clear the box next to Allow the recipient to follow links to unclassified URLs.

Keywords: email blocking; quarantine; cloud email issue; encryption file issue; malware detection issue

Article Feedback

Thank you for the feedback and comments.