Anti-Ransomware

Anti-Ransomware is a behavioral detection engine that attempts to detect malicious encryption of your files and documents. If ransomware is detected, the entire attack can be automatically remediated, and encrypted files restored from a secure backup.

Anti-Ransomware Files

Anti-Ransomware creates honeypot files on client computers. It stops the attack immediately after it detects that the ransomware modified the files.

The files are in these folders that Anti-Ransomware creates:

/Volumes
/Users/Shared
/Users/<User> 
/Users/<User>/Documents

You can identify these folders by the lock icon that is associated with the name of the folder. For example:

The file names include these strings, or similar:

CP
CheckPoint
Check Point
Check-Point
Harmony Endpoint
Harmony Zero-Day
Endpoint

You can open and look at the files. They are real documents, images, videos, and music.

If a file is deleted, it is automatically recreated after the next system boot.

Anti-Ransomware Restoration

In the "Forensics" on page 1, you can see details of which were files restored and deleted during the restoration.

  • See which files were restored in the Business Impact section.

  • See which files were deleted in the Remediation section.

  1. Right-click the Endpoint Security icon in the taskbar notification area and select Show Client.

    The Endpoint Security Home Page opens.

  2. Click Menu and select Overview.

  3. Click Anti-Ransomware, Behavioral Guard, and Forensics.

  4. In the Analyzed cases table, click Restore Files in the row of the relevant incident.

    The Anti-Ransomware Restoration window opens.

  5. Click Restore to start the restoration process.

    If you see a note that the files were already restored, click Cancel. It is not necessary to restore the files again.

  6. In the Restore Step 1 of 2 window:

    1. Select the location to place the restored files:

      • Restore files to the original location (default)

      • Restore to selected location - If you select this, you are prompted to select the location.

    2. Delete files created by the attack, including encrypted files - This is selected by default. Clear it if you do not want to delete the files.

    3. Click Next.

  7. In the Restore Step 2 of 2 window, click Restore to start the process.

    The Endpoint Security Restoration window opens and shows the files that were restored and where they are located.

  8. Click Close.