New/Edit Anti-Ransomware Configuration pane

Use these settings to create and configure an Anti-Ransomware Configuration, which can be used by Powertech Antivirus to protect Endpoints from the ongoing threat of ransomware.

How to Get There

In the Anti-Ransomware Configuration Properties pane, choose +Add.

Options

Name

Enter a unique name for the configuration you are defining.

Description

Enter a textual description that identifies the purpose of the configuration.

APEX Thresholds

The APEX (Access Pattern and Encryption Activity eXtended) detection method evaluates patterns in NetServer access to the Integrated File System (IFS). When APEX detects suspicious encryption activity, this suspicion level is compared to two thresholds:

  • a Message Threshold, which defines when a warning message is sent to the Powertech Antivirus message queue; and

  • a Block Threshold, which defines when the accessing user is blocked.

Default Message Threshold For Users

This section is used to set the thresholds to determine when messages are sent to the Powertech Antivirus message queue to warn of a possible ransomware attack on the Endpoint to which this configuration is applied.

The default setting for new configurations is to Never Send Messages. This means that even in the event of a possible ransomware attack no messages will be sen to the Antivrus message queue.

Click the slider control to change the default setting to Send Messages. A field allowing the entry of a Threshold Value is displayed.

Enter a value between 1 and 100 to represent the level at which messages are sent to the Antivirus message queue.

IMPORTANT: The lower this value is, the more likely it is that a message may be sent in error, i.e. a false positive. The higher this value is, the less likely it is that a message may be sent in error, but more likely that a ransomware attack may go unreported.
Message Threshold Overrides for Users

This option allows you to set an override value (different from the default threshold) to be applied to specific users. For example, you can set a higher threshold for a trusted user account or for that account to Never Send Messages.

Add Override

Click Add Override to open the Add Override window.

  1. Enter the User name for which this message override will be applied.

  2. Leave the slider control set to Never Send Messages so that messages will never be sent from this user account or click the slider control and enter a new message threshold (different from the default setting) that will apply to this user account.

  3. Click Add to create and apply the message override to the user account.

Once defined, message threshold overrides for users are listed in this section. From here they can be edited and deleted.

Default Block Threshold for Users

This section is used to set the thresholds to determine when a user is blocked from the Endpoint to which this configuration is applied, in response to a possible ransomware attack.

The default setting for new configurations is to Never Block Users. This means that even in the event of a possible ransomware attack no user accounts will be blocked.

Click the slider control to change the default setting to Block Users. A field allowing the entry of a Threshold Value is displayed.

Enter a value between 1 and 100 to represent the level at which user accounts will be blocked from the Endpoint to which this configuration is applied. The value represents the number of files being encrypted that Powertech Antivirus detects. The relationship is as follows:

  • Powertech Antivirus considers file encryptions performed within the last 5 minutes.

  • Each encryption of a file adds to a score.

  • The score starts at 0 and can reach a maximum of 100.

The following table shows how the number of file encryptions maps to the score:

Number of Files Encrypted Scoring Impact
1 -6
2 14
3 32
4 46
5 57
6 66
7 73
8 78
9 83
10 86
11 89
12 92
13 94
14 95
15 96
16 97
17 98
18 98
19 99
20+ 100
IMPORTANT: The lower this value is, the more likely it is that a user may be blocked in error, i.e. a false positive. The higher this value is, the less likely it is that a user may be blocked in error, but more likely that a ransomware attack may go unreported.
Block Threshold Overrides for Users

This option allows you to set an override value (different from the default threshold) to be applied to specific users. For example, you can set a higher threshold for a trusted user account or for that account to Never Be Blocked.

Add Override

Click Add Override to open the Add Override window.

  1. Enter the User name for which this block override will be applied.

  2. Leave the slider control set to Never Block Users so that this user account will never be blocked or click the slider control and enter a new threshold (different from the default setting) that will apply to this user account.

  3. Click Add to create the block user override to the user account.

Once defined, block threshold overrides for users are listed in this section. From here they can be edited and deleted.

APEX Exclude Paths

The section allows you to define and maintain the directories that are excluded from being detected by the APEX detection engine.

Add Exclude Path

Click Add Exclude Path to open the Add Exclude Path window into which the directory paths to be excluded can be entered.

  1. Type the directory path into the window in the following format; for example; /windows/tmp

  2. Click Add to confirm the directory exclusion.

TIP: Click Enter to add further entries to this exclusion path before clicking Add.

Once defined, Apex Exclude Paths are listed in this section. From here they can be edited and deleted.

Canary Files

A Canary File is a fake file that is placed amongst real files in order to aid in the early detection of unauthorized data access, copying or modification, which are likely scenarios associated with a ransomware attack.

A canary file can be placed by a user among real files, enabling Powertech Antivirus to detect additional signs of ransomware activity. Whenever a process writes to a canary file, it is immediately considered suspicious, as any legitimate application or user would not access these files. A user will be blocked if they try to tamper with a canary file, for example, if the user tries to update the contents of the file or rename/delete the file.

Canary files can be added to directories that have been overridden to exclude from analysis, to allow some protection for those directories.

IMPORTANT: We recommend that you add canary files to the root directory of vulnerable shares and to critical directories.
The command:
STANDGUARD/AVCRTTEST TYPE(*CANARY) FILE(<path>)
can be used to create a canary file.
Alternatively, any file that is copied to the IFS or created there can be used.
Add File Path

Click Add Canary File Path to open the Add File Path window into which the directory paths to be excluded can be entered.

  1. Type the directory path and file name into the window in the following format; for example; /windows/tmp/test.jpg

  2. Click Add to confirm the addition of the canary file.

TIP: Click Enter to add further entries to this exclusion path before clicking Add.

Once defined, Canary File Paths are listed in this section. From here they can be edited and deleted.

Blocked Users

The Blocked Users section allows you to define, as part of this configuration, which user profiles are blocked from accessing file servers, namely the IBM i NetServer TCP server and Integrated File System host server.

Add Blocked User

Click Add User to open the Add Blocked User window into which the user profiles to be blocked can be entered.

  1. Type the name of the user profile to be blocked.

  2. Click Add to confirm the addition of the user profile.

Once defined, Blocked Users are listed in this section. From here they can be edited and deleted.

Save • Cancel

Click Save to save the configuration settings. Click Cancel to dismiss the pane without making changes.