Set the Canary File-Based Anti-Ransomware Modes
Administrators can configure Anti-Ransomware settings in a sensor policy.
The Anti-Ransomware screen is used to configure sensors running Cybereason platform versions earlier than 22.1.7. In version 22.1.7 and later, the Predictive ransomware protection screen is available. To learn which ransomware protection type to use according to your sensor version, see Ransomware protection types per version. To configure the new Predictive ransomware protection screen, see Set the Predictive Ransomware Protection Levels.
For supported operating systems for Anti-Ransomware, see Endpoint machine prevention features.
In this topic:
Set the Anti-Ransomware protection mode
Anti-Ransomware can detect, suspend, and prevent ransomware on your organization’s endpoints, using behavioral techniques, depending on the mode you select.
In your sensor policy, in the Anti-Ransomware screen, select the appropriate mode:
Mode |
Description |
Recommendation |
---|---|---|
Disabled (default) |
Anti-Ransomware is disabled. Disabling Anti-Ransomware cleans up existing canary files from endpoints. |
Not recommended. Can be used in cases where ransomware detection is not required, or if it is necessary to remove canary files. |
Detect |
Anti-Ransomware is enabled in detect-only mode. When ransomware is detected, a MalOp is generated, but no further action is taken. |
Not recommended. Use for testing purposes only. |
Suspend |
Anti-Ransomware is enabled in detect and suspend mode. When ransomware is detected, a MalOp is generated, and a specific thread of the process is suspended. This thread is permanently suspended and cannot run or perform actions, while the rest of the process can keep running. |
Not recommended. Use for testing purposes only. |
Prevent |
Anti-Ransomware is enabled in detect, suspend, and prevent mode. When ransomware is detected, a MalOp is generated, the process is suspended, and the same process is prevented from executing on the same endpoint machine. Note Cybereason recommends that you enable Application Control when using this mode. If Application Control is disabled, the Cybereason platform does not prevent the process from executing in the future on the same endpoint machine. |
Recommended. |
Set canary file preferences
To help detect ransomware, the Anti-Ransomware feature uses canary files. Canary files are designed in a way that encourages malware to attack these files first, which alerts the Cybereason platform to the presence of ransomware.
To configure canary file preferences, follow these steps:
In your sensor policy, navigate to the Anti-Ransomware screen, locate the Canary files section, and then select the folders where you want to place canary files from the following options:
Root drives
Users folder
Desktop
Users documents
Important
To fully benefit from the ransomware feature, Cybereason recommends to select relevant folder locations and not to leave all folder checkboxes cleared. If you do not select any folders, the canary files functionality is considered disabled.
For each file location, select the visibility of the canary files:
Visible:
Hidden
System hidden
Important
For full protection, select the Visible option for all selected folders.
Below the canary file location options, locate the Suffix section.
For the Folder suffix and File suffix options, add your custom file suffix. Your custom suffix must use only letters and numbers.
Configure behavioral Anti-Ransomware detection options
You can also instruct the Cybereason platform to detect ransomware based on the following behaviors:
The ransomware deletes shadow copies on the machine as part of its pattern.
The ransomware edits the Master Boot Record (MBR) on Windows machines.
To enable behavioral Anti-Ransomware features, follow these steps:
In the Anti-Ransomware screen, below the Canary files section, locate the Shadow copy option and set the toggle to On.
This option enables the Cybereason platform to find ransomware that deletes shadow copies on the machine as part of its pattern.
Below the Shadow copy section, find the MBR section and set the toggle to On.
This option enables you to find ransomware that edits the Master Boot Record (MBR) on Windows machines.
Configure Anti-Ransomware for individual sensors
You can configure Anti-Ransomware for individual sensors in the Sensors screen.
In the Sensors screen, select the sensors whose Anti-Ransomware modes you want to set.
Above the sensor list, click Actions and select Set Anti-Ransomware mode.
In the Set Anti-Ransomware mode dialog box, select the mode for the selected sensors:
Set by Policy
Suspend
Suspend and prevent
Detect
Disabled
Click Set mode to confirm the selection.