Print Download PDF Send Feedback

Previous

Next

Anti-Ransomware Backup Settings

When Anti-Ransomware is enabled, it constantly monitors files and processes for unusual activity. Before a Ransomware attack can encrypt files, Anti-Ransomware backs up your files to a safe location. After the attack is stopped, it deletes files involved in the attack and restores the original files from the backup location.

Define settings for Anti-Ransomware backup and restoration.

General Anti-Ransomware Settings

Backup Settings

Anti-Ransomware automatically backs up files before they are affected by a Ransomware attack. You can add files, processes, and certificates to the exclusion list to exclude them from backups.

To add exclusions from Anti-Ransomware backups:

  1. From a SandBlast Agent Forensics and Anti-Ransomware rule in the Policy, right-click the Anti-Ransomware Backup Settings action and select Edit Shared Action.
  2. Click Add exclusion.
  3. In the window that opens select Folder, Process, or Certificate.
    • Folder - To exclude all files in a folder, enter the Folder Name or browse to it.
      • Optional: Select Include all sub folders to exclude all files contained in all sub folders.
    • Process - To exclude an executable. You can also include Certificate information.
      • In Process name, enter the name of the executable.
      • Optional: Enter more information in the fields shown Signer is the company that signs the certificate. The more information you enter, the more specified the exclusion will be.
    • Certificate - To exclude processes based on the company that signs the certificate, for example, Google.
      • In Certificate Data, enter a name of company that signs certificates, or browse to add a certificate file.
  4. Click OK.
  5. The exclusion is added to the Exclusions list.

Manual Anti-Ransomware Restoration

If you select Automatic restore and remediate in the Anti-Ransomware Backup Settings Action, Anti-Ransomware automatically starts remediation after a Ransomware attack.

If you do NOT select Automatic restore and remediate, end-users must start restoration manually on the client computer after a Ransomware attack.

Best practice is to guide users through the process and instruct them what to select when there is more than one option.

Anti-Ransomware Restoration

In the SandBlast Agent Forensics Analysis Report, you can see details of which files restored and deleted during the restoration.

To run Anti-Ransomware restoration from a client computer:

  1. Right-click the Endpoint Security icon in the taskbar notification area and select Display Overview.

    The Endpoint Security Main Page opens.

  2. Click the Forensics and Anti-Ransomware blade.
  3. In the Analyzed cases table, click Restore Files in the row of the relevant incident.

    The Anti-Ransomware Restoration windows open.

  4. Click Restore to start the restoration process.

    If you see a note that the files were already restored, click Cancel. It is not necessary to restore the files again.

  5. In the Restore Step 1 of 2 window:
    1. Select the location to place the restored files:
      • Restore files to the original location (default)
      • Restore to selected location - If you select this, you are prompted to select the location.
    2. Delete files created by the attack, including encrypted files - This is selected by default. Clear it if you do not want to delete the files.
    3. Click Next.
  6. In the Restore Step 2 of 2 window, click Restore to start the process.

    The Endpoint Security Restoration window opens and shows the files that were restored and where they are located.

  7. Click Close.