Start a new topic

detect and stop ransomware

Hi


I am testing EventSentry Light as a tool to detect and stop ransomware. I followed the procedure as described in ‘Defeating Ransomware with EventSentry & Auditing (Part 3/3)’. This seems to stop ransomware, but the number of false positives is way too high. As soon as a user copies a relatively large number of files to the server (e.g. a series of photos from a camera) this is also detected as ransomware. Am I missing something?


Best greetings,


Koen


Hello Koen,


This method primarily targets high volumes of file activity. However, the article already mentions that it may not be suitable for file servers:

"This doesn’t work so well on a file server, where potentially hundreds of users are constantly modifying files. It would take some time to come up with a good baseline (how many file modifications are considered ‘normal’)."


You could consider adjusting the alert threshold. For instance, if users typically copy a folder containing 50 pictures, try increasing the Threshold Interval from 30 to 55.


If copying pictures is a frequent occurrence for your users, it might be worth filtering out .jpg extensions to reduce unnecessary alerts.


Keep in mind, this is a "nuclear" approach. It monitors any file activity exceeding 30 changes within 3 minutes, and it cannot distinguish between ransomware encryption and regular file copying. Any event that meets the criteria will trigger an alert.


For a more refined solution, check out this better approach outlined in the article HERE. Additionally, the full-featured version of EventSentry is now available for free for home labs. You can request your license HERE

Hi,


Thank you for the informative reply. I will test this further, but I'm afraid that it will be dificult to define a 'normal' file server usage pattern. I will also take a good look at the other features of EventSentry.


Best greetings,


Koen

Login or Signup to post a comment