Third Wall Protection

All BizCare clients include Third Wall, an additional layer of security that we primary use for ransomware monitoring. https://www.threatlocker.com/platform/third-wall

Official Third Wall Help

The Knowledge Base for Third Wall can be found here: https://threatlocker.kb.help/

Official Operations Manual

How ransomware monitoring works

Third Wall places "bait files" on the computer in areas that are commonly targeted by ransomware attacks. There are several files, named such as "A-ThirdWall", in the user's Documents directory. If any of these files are modified, the device is sent into a lockdown mode where it can only communicate with our BizCare and RemoteCare servers. Within 1-5 minutes of this happening, we should receive an automatically generated support ticket in SupportPal in the BizCare -> Ransomware department. This department is available to all BizCare technicians.

Dealing with a ransomware trigger

Investigate

  1. Identify the computer that sent the alert
  2. Contact the customer and let them know that their computer triggered a ransomware alert. Have them describe what they were doing on the computer prior to the alert - usually, the customer will remark that they were "curious what those files were" or "I was moving some files and then I lost internet access" or something similar - if this is the case, then the alert was most likely a false alarm.
  3. Do a scan with their Antivirus agent.
  4. If the scan is clean, proceed to remove the lockdown.
  5. If the scan is not clean, or if the customer was not interacting with the computer prior to the alert, shut down the computer and instruct the customer that there is likely a ransomware infection on their device and that we would like to have it in our possession to make an image backup and remove the infection. Dispatch a technician depending on the customer's level of BizCare for this device.

Remove infection

TBD

Remove lockdown

Once the infection has been cleaned and we are sure that the customer's device is safe, or if the alert was a false alarm, proceed to remove the lockdown.

  1. Login to the BizCare Control Center
  2. Navigate to the locked-down computer in the Client's list of computers and double-click on the computer to open its Information page.
  3. On the tabs along the top of the device information page, click the "Plugins" tab
  4. Click the "Third Wall" card
  5. Scroll down on the Third Wall window and click "Restore Network"
  6. This process may take anywhere from 1-5 minutes. Do not click the button more than once.
  7. Once the network is restored, the remote session for the computer should come back online and the customer should be able to continue with network-based activities as normal.
  8. Verify that there are no lingering issues, then make a note on the ransomware support ticket indicating the steps you took to resolve, and close the ticket.

Remove lockdown manually

Occasionally it may be necessary to remove the lockdown manually - for example, if the BizCare client isn't running properly or the computer can't connect to our server, for some reason.

On the affected computer, first search for and remove any ransomware as outlined above, then run the following two commands in an adminsitrative terminal:

  1. netsh ipsec static set policy name="Third Wall Isolation" assign=NO
  2. netsh ipsec static delete policy name="Third Wall Isolation"
Discard
Save
Draft
Was this article helpful?
Edit Page New Page Revisions Page Settings

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on