Hello Koen,
This method primarily targets high volumes of file activity. However, the article already mentions that it may not be suitable for file servers:
"This doesn’t work so well on a file server, where potentially hundreds of users are constantly modifying files. It would take some time to come up with a good baseline (how many file modifications are considered ‘normal’)."
You could consider adjusting the alert threshold. For instance, if users typically copy a folder containing 50 pictures, try increasing the Threshold Interval from 30 to 55.
If copying pictures is a frequent occurrence for your users, it might be worth filtering out .jpg extensions to reduce unnecessary alerts.
Keep in mind, this is a "nuclear" approach. It monitors any file activity exceeding 30 changes within 3 minutes, and it cannot distinguish between ransomware encryption and regular file copying. Any event that meets the criteria will trigger an alert.
For a more refined solution, check out this better approach outlined in the article HERE. Additionally, the full-featured version of EventSentry is now available for free for home labs. You can request your license HERE
Koen Gryspeerdt
Hi
I am testing EventSentry Light as a tool to detect and stop ransomware. I followed the procedure as described in ‘Defeating Ransomware with EventSentry & Auditing (Part 3/3)’. This seems to stop ransomware, but the number of false positives is way too high. As soon as a user copies a relatively large number of files to the server (e.g. a series of photos from a camera) this is also detected as ransomware. Am I missing something?
Best greetings,
Koen