Anti-Ransomware Backup Settings

When Anti-Ransomware is enabled, it constantly monitors files and processes for unusual activity. Before a Ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe location. After the attack is stopped, it deletes files involved in the attack and restores the original files from the backup location.

Define settings for Anti-Ransomware backup and restoration.

General Anti-Ransomware Settings

• Enable Anti-Ransomware - This is selected by default. To disable Anti-Ransomware, clear it.
• Automatic restore and remediate - When selected, Anti-Ransomware automatically starts remediation after a Ransomware attack. It deletes files created by the attack and restores the original files.

  When this is not selected, users must start the restoration from the client computer. See Manual Anti-Ransomware Restoration.

  • Restore to selected location - By default, files are restored to their original location. To restore files to a different location, click Choose location. Each time files are automatically restored, they will be put in this configured location.

Backup Settings

Anti-Ransomware automatically backs up files before they are affected by a Ransomware attack. You can add files, processes, and certificates to the exclusion list to exclude them from backups.

• Anti-Ransomware Maximum backup size on disk - Set the maximum amount of storage for Anti-Ransomware backups. Best practice is to allow 1 GB.
• Backup Time Interval - Within this time interval, each file is only backed up one time, even if it is changed multiple times.
• Change default file types to be backed up - Click this to see a list of file types that are included in the Anti-Ransomware backup files. You can add or remove file types from the list and change the Maximum Size of files that are backed up.

To add exclusions from Anti-Ransomware backups:

1. From a SandBlast Agent Forensics and Anti-Ransomware rule in the Policy, right-click the Anti-Ransomware Backup Settings action and select Edit Shared Action.
2. Click Add exclusion.
3. In the window that opens select Folder, Process, or Certificate.
   • Folder - To exclude all files in a folder, enter the Folder Name or browse to it.
     • Optional: Select Include all sub folders to exclude all files contained in all sub folders.
   • Process - To exclude an executable. You can also include Certificate information.
     • In Process name, enter the name of the executable.
     • Optional: Enter more information in the fields shown Signer is the company that signs the certificate. The more information you enter, the more specified the exclusion will be.
   • Certificate - To exclude processes based on the company that signs the certificate, for example, Google.
     • In Certificate Data, enter a name of company that signs certificates, or browse to add a certificate file.
4. Click OK.
5. The exclusion is added to the Exclusions list.

Manual Anti-Ransomware Restoration

If you select Automatic restore and remediate in the Anti-Ransomware Backup Settings Action, Anti-Ransomware automatically starts remediation after a Ransomware attack.

If you do NOT select Automatic restore and remediate, end-users must start restoration manually on the client computer after a Ransomware attack.

Best practice is to guide users through the process and instruct them what to select when there is more than one option.

Anti-Ransomware Restoration

In the SandBlast Agent Forensics Analysis Report, you can see details of which files restored and deleted during the restoration.

• See which files were restored in the Business Impact section.
• See which files were deleted in the Remediation section.

To run Anti-Ransomware restoration from a Windows client computer:

1. Right-click the Endpoint Security icon in the taskbar notification area and select Display Overview.

   The Endpoint Security Main Page opens.

2. Click Forensics and Anti-Ransomware .
3. In the Analyzed cases table, click Restore Files in the row of the relevant incident.

   The Anti-Ransomware Restoration windows open.

4. Click Restore to start the restoration process.

   If you see a note that the files were already restored, click Cancel. It is not necessary to restore the files again.

5. In the Restore Step 1 of 2 window:
   1. Select the location to place the restored files:
      • Restore files to the original location (default)
      • Restore to selected location - If you select this, you are prompted to select the location.
   2. Delete files created by the attack, including encrypted files - This is selected by default. Clear it if you do not want to delete the files.
   3. Click Next.
6. In the Restore Step 2 of 2 window, click Restore to start the process.

   The Endpoint Security Restoration window opens and shows the files that were restored and where they are located.

7. Click Close.