When Anti-Ransomware is enabled, it constantly monitors files and processes for unusual activity. Before a Ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe location. After the attack is stopped, it deletes files involved in the attack and restores the original files from the backup location.
Define settings for Anti-Ransomware backup and restoration.
General Anti-Ransomware Settings
When this is not selected, users must start the restoration from the client computer. See Manual Anti-Ransomware Restoration.
Backup Settings
Anti-Ransomware automatically backs up files before they are affected by a Ransomware attack. You can add files, processes, and certificates to the exclusion list to exclude them from backups.
To add exclusions from Anti-Ransomware backups:
If you select Automatic restore and remediate in the Anti-Ransomware Backup Settings Action, Anti-Ransomware automatically starts remediation after a Ransomware attack.
If you do NOT select Automatic restore and remediate, end-users must start restoration manually on the client computer after a Ransomware attack.
Best practice is to guide users through the process and instruct them what to select when there is more than one option.
In the SandBlast Agent Forensics Analysis Report, you can see details of which files restored and deleted during the restoration.
To run Anti-Ransomware restoration from a client computer:
The Endpoint Security Main Page opens.
The Anti-Ransomware Restoration windows open.
If you see a note that the files were already restored, click Cancel. It is not necessary to restore the files again.
The Endpoint Security Restoration window opens and shows the files that were restored and where they are located.