Hermetic Wiper: ThreatLocker Recommended Policy

2 min. readlast update: 03.01.2022

A malware strain called Hermetic Wiper has been identified. It's important to recognize that this malware does not encrypt, but it is destructive malware that corrupts hard drives. The hash files for this malware have been identified by ThreatLocker and made into a Built-In application. 

Devices in a secure state will automatically block this file from executing as it would any other file, without an application and policy. 

For convenience, ThreatLocker has also created a suggested policy to help protect devices that are currently not in a secured state.

Note: If managing multiple tenants, ThreatLocker suggests placing this on the highest level (Global) to protect all applicable organizations under your parent organization.

To set up this policy, navigate to the ‘Application Control’ page in the ‘Modules’ dropdown, then select the ‘Policies’ tab in the top right corner of the page. 

 

 

In the ‘Application Control Policies’ page, select the hamburger menu from the top left corner of the screen, which is located to the right of the ‘New Tag’ button. Selecting the button will open a menu titled ‘Policy Management’. Select the optionThreatLocker Suggested Policies’ from the menu. 

Selecting ‘ThreatLocker Suggested Policies’ will open a new window displaying all the recommended ThreatLocker policies. 

At the top of this window is a section labeled ‘Select target Organizations or Groups to insert selected policies’. In here, you can either use the dropdown arrows beside the organization names to find your desired group, or you can insert the group name within the search bar. For this example, we will be applying it to the global level. 

Once your desired group is selected, navigate to the search bar to the right of the ‘Filter By’ dropdown and insert ‘hermetic’, or locate the policy named ‘Hermetic Wiper – DENY' from the list of policies. Select the policy, then select the button labeled ‘Add 1 Suggested Policy’ to add it to the designated group. 

ThreatLocker also suggests moving this policy strictly into a ‘Secured’ state, meaning that it will override any devices currently in Learning or Monitor mode. Select the dropdown menu under ‘Status’ to change this policy from its default ‘Inherit’ status to ‘Secured’. 

 

You will need to deploy policies for all Organizations in order for this to take effect. 

If you need help with deploying policies at a Global level, please refer to the following article: 

Was this article helpful?