Ransomware Protection
Ransomware Protection is compatible with CipherTrust Manager v2.12 and subsequent versions.
Steps to create GuardPoints on individual clients and client groups are similar. GuardPoints can be created on the GuardPoints tab of individual clients and client groups.
Using Ransomware Protection GuardPoints to protect Network Shares is compatible with CipherTrust Manager v2.14 and subsequent versions.
To create an RWP GuardPoint:
-
Open the Transparent Encryption application.
-
Select the client or client group on which you want to create a GuardPoint.
-
Click an RWP-enabled client under the Client Name column (Clients > Clients). These are the clients with RWP or CTE RWP as Protection Mode.
-
Click a client group under the Client Group Name column (Clients > Client Groups).
-
-
On the GuardPoints tab, click Create GuardPoint.
When creating an RWP GuardPoint, (for volumes, without encryption) you do not need to specify a CTE policy. So, for clients with the RWP protection mode, the Policy field is unavailable.
On clients with the CTE RWP protection mode, (for GuardPoint, with encryption), you can create RWP GuardPoints as well as other types of GuardPoints with policies. So, the Policy field is available for such clients. Although the field is available, do not select any policy when creating an RWP GuardPoint.
Refer to Protection Modes for information on CTE protection modes.
-
(For clients with the CTE RWP protection mode) Select Ransomware Protection as the Type of device to protect. This is a mandatory field.
For clients with the RWP protection mode, Ransomware Protection is the default Type and cannot be modified.
-
Specify the Path (volume or network share) to be protected. This is a mandatory field. Options to specify the GuardPoint paths are:
-
Enter/Browse Path: Select this option, and enter the volume path (for example, C:\, or D:\, or shared volume) by either typing or clicking the Browse button.
Note
-
Ransomware Protection GuardPoints are applied at the volume level. Even if you specify the path of a folder or a file, the GuardPoint will be applied at the volume level.
-
If you specify a network share, all the network shares to be mounted subsequently will be protected.
-
A CTE client administrator can configure protection of all existing volumes and mount points, and those to be added to the client subsequently.
A maximum of 200 GuardPaths can be specified using the Enter/Browse Path option.
Browse Method
-
Click Browse to select the volume by browsing the client file system. This method prevents typographical errors and verifies client availability. This is the recommended method to specify individual paths.
File system of a client that is not registered with the CipherTrust Manager cannot be browsed.
-
In the Enter Path field, specify the volume path. Alternatively, in the Select Path field, select the path from the on-screen file system browser, and click Select Path.
-
Click Add.
Manual Method
Alternatively, if you know the volume, manually enter volume in the given text box. Enter one volume per line.
-
-
Upload CSV: Select this option and click Browse to upload the CSV file containing the list of one or more paths. This is the recommended method to specify a large number of paths in one step.
If a manually entered path does not yet exist, check that you entered the path correctly. The CipherTrust Manager does not parse manually entered paths for correct syntax.
-
-
Click Create. A message appears prompting to confirm the reuse of these GuardPoint settings on another path.
-
Click Yes to use the same settings on another path. The Use Settings on Another Path dialog box is displayed. Perform the following steps:
-
In the Enter Path field, specify the path. Alternatively, in the Select Path field, select the path from the on-screen file system browser, and click Select Path.
-
Click Add Path. The newly added path appears under the Paths list on the left. Similarly, add as many paths as required.
-
Click OK.
-
-
Click No if you do not want to use the same settings on another path.
-
-
Check the GuardPoint status, type:
secfsd -status guard
Setting Ransomware Protection Sensitivity
The sensitivity level determines how comprehensive the result list will be. The sensitivity level range is 1-10 where 1 is the least sensitive, so it allows more suspicious behavior to pass through. Conversely, 10 is the most sensitive, so it allows less suspicious behavior to pass through undetected.
There are three settings available for the sensitivity of the ransomware protection:
Monitor Mode
Monitoring mode generates a list of suspicious incidents. If you set the list to a low sensitivity level, more files will get encrypted before a given ransomware is detected. If you set it to a high sensitivity level, it may affect throughput and the list may contain more false positive results.
Sensitivity is set to a default of 8 at the time of installation because that score produces relatively few false hits. False hits look just like ransomware for brief moments. Increasing to a maximum of 10 should not produce results that are that different. You can increase or decrease the sensitivity. If you see a lot of false positive results, decrease the sensitivity to eliminate them.
Block Mode
Block mode blocks the relevant suspicious behaviors. Sensitivity is also set to a default of 8 at the time of installation for Block mode. In Block mode, you can only increase the sensitivity.
Disable Mode
Disable mode disables Ransomware Protection for all GuardPoint on the clients linked with this profile. Therefore, it has nothing to log.
See Disabling Ransomware Protection for more information.
Disable mode is only available with CipherTrust Manager v2.15 and subsequent versions.
Setting the Sensitivity Level
To adjust the sensitivity:
-
Initially, set the operation mode to Monitor when you create your Ransomware Protection profile.
-
Set the sensitivity level, type:
voradmin rwp sensitivity [1 through 10]
-
To check the sensitivity level, if it is not known, type:
voradmin rwp sensitivity get
-
After the list is generated, add the false positives entries to your process set to exempt them from future monitoring.
-
When false positives are no longer reported, set the operation mode to Block to block the relevant suspicious behaviors and maintain the sensitivity level.