Ransomware Protection
Note
-
Ransomware Protection for Windows is compatible with CipherTrust Manager v2.12 and subsequent versions.
-
Ransomware Protection for Linux is compatible with CipherTrust Manager v2.17 and subsequent versions.
Setting Ransomware Protection GuardPoints
Steps to create GuardPoints on individual clients and client groups are similar. GuardPoints can be created on the GuardPoints tab of individual clients and client groups.
To create a Ransomware Protection GuardPoint:
-
In CipherTrust Manager, open the Transparent Encryption application.
-
Select the client or client group on which you want to create a GuardPoint.
-
Click an Ransomware Protection-enabled client under the Client Name column (Clients > Clients). These are the clients with either Ransomware Protection, or CTE Ransomware Protection, protection mode.
-
Click a client group under the Client Group Name column (Clients > Client Groups).
-
-
On the GuardPoints tab, click Create GuardPoint:
Note
Once Ransomware Protection is enabled during CTE registration, Ransomware Protection is applied to all GuardPoints.
Ransomware Protection is supported in 2 Protection Modes:
-
RWP: In CipherTrust Manager, when creating a GuardPoint, you cannot assign a policy and type is automatically set to Ransomware Protection Only.
-
CTE-RWP: On clients with CTE RWP mode, you can create a Ransomware Protection GuardPoint set to Ransomware Protection Only, as well as other types of GuardPoints that use policies as shown below. In Linux, Ransomware Protection is also available for other GuardPoints if the GuardPoints are set on a directory.
-
-
Specify the Path to be protected. This is a mandatory field. Options to specify the GuardPoint paths are:
-
Enter/Browse Path: Select this option, and enter the path by either typing or clicking the Browse button.
Note
-
For CTE Windows, Ransomware Protection GuardPoints are applied at the volume level. Even if you specify the path of a folder or a file, the GuardPoint will be applied at the volume level.
-
For CTE Linux, Ransomware Protection is applied at GuardPoint level.
-
If you specify a network share, all of the network shares to be mounted subsequently will be protected.
-
A CTE client administrator can configure protection of all existing GuardPoints, and those to be added to the client subsequently.
-
A maximum of 200 GuardPaths can be specified using the Enter/Browse Path option.
-
-
Click Browse to select the path by browsing the client file system. This method prevents typographical errors and verifies client availability. This is the recommended method to specify individual paths. Note that the client must be registered with CipherTrust Manager in order to browse its file system.
-
In the Enter Path field, specify the path. Alternatively, in the Select Path field, select the path from the on-screen file system browser, and click Select Path.
-
Click Add.
Alternatively, if you know the path, manually enter path in the given text box. Enter one path per line.
-
Upload CSV: Select this option and click Browse to upload the CSV file containing the list of one or more paths. This is the recommended method to specify a large number of paths in one step.
Note
If a manually entered path does not yet exist, check that you entered the path correctly. The CipherTrust Manager does not parse manually entered paths for correct syntax.
-
-
Click Create. A message appears prompting to confirm the reuse of these GuardPoint settings on another path.
-
Click Yes to use the same settings on another path. The Use Settings on Another Path dialog box is displayed. Perform the following steps:
-
In the Enter Path field, specify the path. Alternatively, in the Select Path field, select the path from the on-screen file system browser, and click Select Path.
-
Click Add Path. The newly added path appears under the Paths list on the left. Similarly, add as many paths as required.
-
Click OK.
-
-
Click No if you do not want to use the same settings on another path.
-
-
Check the GuardPoint status, type:
secfsd -status guard
Setting Ransomware Protection Sensitivity
The sensitivity level determines how comprehensive the result list will be. The sensitivity level range is 1-10 where 1 is the least sensitive, so it allows more suspicious behavior to pass through. Conversely, 10 is the most sensitive, so it allows less suspicious behavior to pass through undetected.
There are three settings available for the sensitivity of the ransomware protection:
Monitor Mode
Monitoring mode generates a list of suspicious incidents. If you set the list to a low sensitivity level, more files will get encrypted before a given ransomware is detected. If you set it to a high sensitivity level, it may affect throughput and the list may contain more false positive results.
Sensitivity is set to a default of 8 at the time of installation because that score produces relatively few false hits. False hits look just like ransomware for brief moments. Increasing to a maximum of 10 should not produce results that are that different. You can increase or decrease the sensitivity. If you see a lot of false positive results, decrease the sensitivity to eliminate them.
Block Mode
Block mode blocks the relevant suspicious behaviors. Sensitivity is also set to a default of 8 at the time of installation for Block mode. In Block mode, you can only increase the sensitivity.
Disable Mode
Disable mode disables Ransomware Protection for all GuardPoints on the clients linked with this profile. Therefore, it has nothing to log.
See Disabling Ransomware Protection for more information.
Note
Disable mode is only available with CipherTrust Manager v2.15 and subsequent versions, (Windows Only).
Setting the Sensitivity Level
To adjust the sensitivity:
-
In CipherTrust Manager, set the initial operation mode to Monitor when you Setting Ransomware Protection Configuration.
-
Set the sensitivity level, type:
voradmin rwp sensitivity [1 through 10]
-
To check the sensitivity level, if it is not known, type:
voradmin rwp sensitivity get
-
After the list is generated, add the false positives entries to your process set to exempt them from future monitoring.
-
When false positives are no longer reported, set the operation mode to Block to block the relevant suspicious behaviors and maintain the sensitivity level.