Set the Canary File-Based Anti-Ransomware Modes

Administrators can configure Anti-Ransomware settings in a sensor policy.

The Anti-Ransomware screen is used to configure sensors running Cybereason platform versions earlier than 22.1.7. In version 22.1.7 and later, the Predictive ransomware protection screen is available. To learn which ransomware protection type to use according to your sensor version, see Ransomware protection types per version. To configure the new Predictive ransomware protection screen, see Set the Predictive Ransomware Protection Levels.

For supported operating systems for Anti-Ransomware, see Endpoint machine prevention features.

Set the Anti-Ransomware protection mode

Anti-Ransomware can detect, suspend, and prevent ransomware on your organization’s endpoints, using behavioral techniques, depending on the mode you select.

In your sensor policy, in the Anti-Ransomware screen, select the appropriate mode:

Mode

Description

Recommendation

Disabled (default)

Anti-Ransomware is disabled. Disabling Anti-Ransomware cleans up existing canary files from endpoints.

Not recommended. Can be used in cases where ransomware detection is not required, or if it is necessary to remove canary files.

Detect

Anti-Ransomware is enabled in detect-only mode. When ransomware is detected, a MalOp is generated, but no further action is taken.

Not recommended. Use for testing purposes only.

Suspend

Anti-Ransomware is enabled in detect and suspend mode. When ransomware is detected, a MalOp is generated, and a specific thread of the process is suspended. This thread is permanently suspended and cannot run or perform actions, while the rest of the process can keep running.

Not recommended. Use for testing purposes only.

Prevent

Anti-Ransomware is enabled in detect, suspend, and prevent mode. When ransomware is detected, a MalOp is generated, the process is suspended, and the same process is prevented from executing on the same endpoint machine.

Note

Cybereason recommends that you enable Application Control when using this mode. If Application Control is disabled, the Cybereason platform does not prevent the process from executing in the future on the same endpoint machine.

Recommended.

Set canary file preferences

To help detect ransomware, the Anti-Ransomware feature uses canary files. Canary files are designed in a way that encourages malware to attack these files first, which alerts the Cybereason platform to the presence of ransomware.

To configure canary file preferences, follow these steps:

  1. In your sensor policy, navigate to the Anti-Ransomware screen, locate the Canary files section, and then select the folders where you want to place canary files from the following options:

    • Root drives

    • Users folder

    • Desktop

    • Users documents

    Important

    To fully benefit from the ransomware feature, Cybereason recommends to select relevant folder locations and not to leave all folder checkboxes cleared. If you do not select any folders, the canary files functionality is considered disabled.

  2. For each file location, select the visibility of the canary files:

    • Visible:

    • Hidden

    • System hidden

    Important

    For full protection, select the Visible option for all selected folders.

  3. Below the canary file location options, locate the Suffix section.

  4. For the Folder suffix and File suffix options, add your custom file suffix. Your custom suffix must use only letters and numbers.

Configure behavioral Anti-Ransomware detection options

You can also instruct the Cybereason platform to detect ransomware based on the following behaviors:

  • The ransomware deletes shadow copies on the machine as part of its pattern.

  • The ransomware edits the Master Boot Record (MBR) on Windows machines.

To enable behavioral Anti-Ransomware features, follow these steps:

  1. In the Anti-Ransomware screen, below the Canary files section, locate the Shadow copy option and set the toggle to On.

    This option enables the Cybereason platform to find ransomware that deletes shadow copies on the machine as part of its pattern.

  2. Below the Shadow copy section, find the MBR section and set the toggle to On.

    This option enables you to find ransomware that edits the Master Boot Record (MBR) on Windows machines.

Configure Anti-Ransomware for individual sensors

You can configure Anti-Ransomware for individual sensors in the Sensors screen.

  1. In the Sensors screen, select the sensors whose Anti-Ransomware modes you want to set.

  2. Above the sensor list, click Actions and select Set Anti-Ransomware mode.

  3. In the Set Anti-Ransomware mode dialog box, select the mode for the selected sensors:

    • Set by Policy

    • Suspend

    • Suspend and prevent

    • Detect

    • Disabled

  4. Click Set mode to confirm the selection.