On the Cyber Resilience page, you can view the Cyber Resilience features of the Nasuni Management Console.
From the Cyber Resilience page, you can also access the following pages:
Ransomware Detection
The Ransomware Detection settings implement Nasuni Ransomware Detection. You can view or change the Ransomware Detection setting of volumes.
Nasuni provides unmatched recovery capabilities for customers impacted by ransomware attacks as part of its base platform. Nasuni Ransomware Detection extends these built-in capabilities by identifying ransomware attacks on files anywhere within your Nasuni environment and alerting administrators about ransomware attacks before they cause significant damage. This enables you to identify the impacted files and associated users, so you can recover smarter and even faster without paying the ransom.
Ransomware Detection includes the following processing:
Regularly updates known ransomware patterns used for detection.
The Nasuni list of known ransomware file extensions is at https://r3.api.nasuni.com/ ext_blocklist.json.
Monitors file creation, renaming, updating, and deletion events, which indicates the action of ransomware, and analyzes their paths.
Emits a notification if an attack is underway. This notification is sent when the attack is first recorded, not for each affected file.
Tip: Avoid false positives by requesting Support to add file extensions to the safelist.
You can enable or disable Ransomware Detection at the volume level.
For more information, see Nasuni Ransomware Protection.
Note: Nasuni Ransomware Detection is a feature of the Nasuni Ransomware Protection add-on service. If you cannot enable the feature, contact your Nasuni account team to discuss how to purchase and enable the add-on.
Note: Some ransomware file extensions may be considered vulgar. Nasuni believes in giving its users the most accurate information, so it shows the full extension.
Important: To enable Ransomware Detection, you must open port 443 to the FQDN r3.api.nasuni.com to get ransomware detection definition files.
Tip: To administer settings of Ransomware Detection, you must have the "Manage Cyber Resilience Services" permission.
Tip: To receive notifications of violations, you must have the “Manage all aspects of the Filer (super user)” or “Manage Notifications” permissions, and the appropriate “Filer Access” permissions.
To receive emails of violations, if email is enabled, you must also ensure that “Violation Alerts” is selected for the user’s group.
Note: Ransomware pattern violations are logged to a CSV file in the
.nasuni/ransomware_violations/ folder of the volume.
In the log file, each violation entry includes the following: event timestamp, event type, path, client SID, and client IP.
Of the 43 defined event types, Nasuni currently reports 4 (Rename), 6 (Read), 7 (Write), 10 (New File), and 12 (Delete File).
Tip: To access the hidden .nasuni directory on an SMB share, you must be an administrative user.
Because the .nasuni directory is located in the root directory of the volume, access the
.nasuni directory, you must create a share to the root directory of the volume.
In addition, this hidden directory must be visible on the client machine. For example, in Windows, “Show Hidden Files, folders, and drives” must be enabled, and “Hide protected operating system files” must be disabled.
IMPORTANT: BEFORE PUTTING NASUNI RANSOMWARE DETECTION INTO PRODUCTION
We have spent time researching the behavior of ransomware, and compared it to metrics of how users interact with Edge Appliances in the real world. The results of that research have informed the values that we have set as the defaults for incident creation and mitigation. Our goal is to avoid overly aggressive blocking of SMB clients, which would lead to data being unavailable to legitimate users. At the same time, we must provide robust protection against actual ransomware attacks. However, we recognize that every customer environment is different, and so we offer you the ability to change these confidence levels.
Instead of immediately enabling the mitigation policy feature on a volume, we recommend running the system in a “learning mode.” During this time, enable Ransomware Detection only, without enabling Incident Mitigation. After Ransomware Detection is enabled, monitor the system for about one month and watch for any incidents. If you see any incidents, do not immediately assume that they are an actual ransomware attack. Instead, investigate the details of the incident, and look at the number and frequency of violations. If you find that this is legitimate activity, consider increasing the default values for the incident creation confidence level.
When you are confident that the detection confidence level is appropriate, enable the Incident Mitigation policy.
Keep in mind that these settings are volume-specific, so you might need to run this learning process across multiple volumes if there is a significant difference in the workflows associated with those volumes.
Important: If Ransomware Mitigation is enabled, SMB clients can be blocked automatically.
The Nasuni Ransomware Detection process includes analysis of file extensions and patterns of file creation, renaming, updating, and deletion. The following considerations are important regarding the analysis of file extensions:
When you first enable Nasuni Ransomware Detection, it is possible that, despite the default incident creation and mitigation confidence levels, you might receive notifications of possible ransomware. This does not necessarily indicate the presence of actual ransomware in your system. Instead, this might simply indicate that some of your organization’s ordinary file extensions happen to match known ransomware signatures. Recognizing this is important in establishing your system’s “normal” state.
When you do receive these first ransomware notifications, you should examine them closely. The ransomware violations are logged to a CSV file in the
.nasuni/ransomware_violations/folder of the volume. To access this CSV file:You must be an administrative user.
Because the
.nasunidirectory is located in the root directory of the volume, to access the.nasunidirectory, you must create a share to the root directory of the volume.In Windows, “Show hidden files, folders, and drives” must be enabled.
In Windows, “Hide protected operating system files” must be disabled.
Find and open this CSV file. It includes a list of suspicious files. Examine the extensions of these files.
Are these typical extensions of ordinary files used in your organization? If so, this is an example of a false positive and a good indication of the type of file that you can typically ignore in future notifications. Consider increasing the default values for the confidence level.
Are these unusual extensions for your organization? If so, this can indicate the possibility of an actual ransomware attack, and further investigation is necessary. For example, suppose only one or a few files have such an unusual extension. In that case, it is probably not a ransomware attack since ransomware attacks typically affect many files on a system.
After examining ransomware notifications for a month, you should have a good idea of the types of extensions that you can safely ignore. This is enough time for processes that happen once a month (such as reporting, finance, and HR) to complete a cycle.
When you have identified ordinary file extensions that trigger ransomware notifications routinely, you can decide how best to manage these false positives.
For example, you can consider increasing the default values for the confidence level.
You can also request Nasuni Support to add these known false positive file extensions to the safelist for this volume. This ensures that you do not receive notifications for files that match these extensions.
However, if you do so, you risk the possibility of a genuine ransomware attack that happens to use those file extensions. That is a decision that must be made carefully. You might decide to continue to allow Nasuni Ransomware Detection to flag these file extensions and provide the most complete protection possible.
Licensing
Ransomware Detection, Mitigation, and Reporting require a license to use. For more information on implementation, contact your Nasuni account team.
Important: Ransomware Detection must be enabled before “Ransomware Mitigation and Reporting” can be enabled.
Ransomware: Detection & Mitigation Page
Click Cyber Resilience, then click Detection & Mitigation. The Detection & Mitigation page appears.
Figure 11-1: Detection & Mitigation page.
For each volume, the following information appears:
Name: The name of the volume.
Protocols: The protocols of the volume: CIFS, NFS, or FTP.
Filer: The Edge Appliance that is the owner of the volume.
Version: The software version that the Edge Appliance is running.
Important: Incident Creation and Incident Mitigation are only available on Edge Appliances running version 9.9 or later and an NMC running version 22.3 or later.
Ransomware Detection: An indication of whether Ransomware Detection is Enabled or Disabled for the volume: Enabled or Disabled.
Confidence Level: The selected Confidence Level for ransomware detection. The confidence level of the suspected ransomware must meet or exceed the selected Confidence Level in order to be classified as actual ransomware.
Incident Mitigation: An indication of whether Incident Mitigation is Enabled or Disabled for the volume: Enabled or Disabled.
Confidence Level: The selected Confidence Level for incident mitigation. The confidence level of the suspected ransomware must meet or exceed the selected Confidence Level in order for incident mitigation to be triggered.
Important: If you utilize technologies that allow clients to use multiple Edge Appliances (such as DFS or NetScaler) to access a share for geolocation or redundancy purposes, the client might be blocked by the mitigation policy on one Edge Appliance, and then connect to another Edge Appliance hosting the share. Note that ransomware activity on the new Edge Appliance might cause the client to be blocked there also.
Ransomware Detection Policy
The Ransomware Detection Policy includes Ransomware Detection and Incident Mitigation.
If Ransomware Detection is enabled, Nasuni detects and reports new ransomware attacks, if the Ransomware Detection Confidence Level is exceeded.
If Incident Mitigation is enabled, Nasuni blocks the attacking SMB client's IP address on the associated Edge Appliance if the Incident Mitigation Confidence Level is exceeded.
Note: Incident Mitigation and Ransomware Detection Confidence Level are available only for Edge Appliances running version 9.14 or later and an NMC running version 23.3 or later.
Disabling the service removes associated incidents, but already-issued notifications and violation logs are preserved.
To specify the Ransomware Detection Policy, follow this procedure:
Click Cyber Resilience, then click “Detection & Mitigation”. The “Detection & Mitigation” page appears.
Figure 11-2: Detection & Mitigation page.
Select volumes from the list to specify the Ransomware Detection Policy.
Important: Incident Mitigation and Ransomware Detection Confidence Level are available only for Edge Appliances running version 9.14 or later and an NMC running version 23.3 or later.
Click “Edit Volumes”. The “Edit Detection and Mitigation Settings” dialog box appears.
Figure 11-3: Edit Detection and Mitigation Settings dialog box.
To enable Ransomware Detection, set “Detection” to On.
When enabled, it detects and reports potential ransomware attacks. Only attacks that occur after the service is enabled are detected. Attacks that occur before enabling the service are not detected.
Disabling the service does not clear previously issued notifications or remove violation logs.
If Detection is enabled, you can also optionally enable Mitigation. To enable Mitigation, set “Mitigation” to On.
When enabled, it blocks the attacking SMB client's IP address on the associated Edge Appliance if the Confidence Level is exceeded.
Important: If Mitigation is enabled, SMB clients can be blocked automatically.
Note: Only SMB clients can be blocked. NFS clients cannot be blocked because auditing does not log the NFS client's IP address.
Tip: Incident Mitigation and Ransomware Detection Confidence Level are available only for Edge Appliances running version 9.14 or later and an NMC running version 23.3 or later.
To specify the Confidence Levels for Detection and Mitigation, click Advanced Settings. The Advanced Settings pane appears.
Figure 11-4: Advanced Settings pane.
To specify the Confidence Level for Detection, select a Confidence Level from the “Detection- Incident Creation” drop-down list.
Detection confidence is calculated for each ransomware attack, based on the severity of the attack. If the calculated detection confidence (say, High) equals or exceeds the selected Confidence Level (say, Medium), then an incident is created.Low Confidence Levels mean more false alarms, but are more likely to recognize actual ransomware attacks. High Confidence Levels mean fewer false alarms, but might miss actual ransomware attacks.
To specify the Confidence Level for Mitigation, select a Confidence Level from the “Mitigation - Block Clients” drop-down list.
Confidence Level for Mitigation help avoid incorrectly blocking SMB clients for harmless activity. Mitigation confidence is calculated for each ransomware incident. If the calculated mitigation confidence (say, High) equals or exceeds the selected Confidence Level (say, Medium), then the SMB client is blocked.Low Confidence Levels mean more false alarms, but are more likely to recognize actual ransomware attacks. High Confidence Levels mean fewer false alarms, but might miss actual ransomware attacks.
Click Save.
The specified Ransomware Detection Policy is configured.
Figure 11-5: Detection & Mitigation page, with features enabled.
To enable Notifications, see “Notifications” on page 564.
To enable email alerts, enable “Violation Alerts”. See “Adding Permission Groups” on page 513.
Tip: To receive notifications of violations, you must have the “Manage all aspects of the Filer (super user)” or “Manage Notifications” permissions, and the appropriate “Filer Access” permissions.
Ransomware: Incident Management Page
An incident is created when the Ransomware Detection Confidence Level is met. Incidents are tabulated per volume, per user, and per Edge Appliance, and are displayed on the Incident Management page. Use the Incident Management page to view incidents, generate reports, perform a targeted ransomware restore, and delete an incident after it has been resolved.
To view the Incident Management page, click Cyber Resilience, then click Incident Management. The Incident Management page appears.
Figure 11-6: Incident Management page.
For each incident, the following information appears:
Date: The date and time (UTC) of the incident.
Volume: The name of the affected volume.
Filer: The Edge Appliance that the incident was detected on.
Important: Incident Mitigation and Ransomware Detection Confidence Level are available only for Edge Appliances running version 9.14 or later and an NMC running version 23.3 or later.
Detected Confidence Level: The current confidence level of the detected incident.
Signature: The specific file extension used in the ransomware attack. If the incident does not include a known signature, this field is empty.
Generate Report (Action): To generate an incident report, click Generate Report
.png)
. For more detail, see “Generating Incident Reports” on page 543.
Tip: The “Generate Report” button is only available if both the “Ransomware Detection” and “Ransomware Mitigation and Reporting” license settings are enabled.Also, incidents originally generated on Edge Appliances running versions before 9.9, but later updated to run version 9.9 or later, are listed, but the “Generate Report” button is not available.
Targeted Restore (Action): To perform a targeted restore of affected files, click Targeted Restore
.png)
. For more details, see “Ransomware: Targeted Restore” on page 550.Mitigated: If this incident is being mitigated, the Mitigated icon
.png)
appears. To view the number of blocked SMB clients, hover over the Mitigated icon .png)
.
Filtering the Display
Using the Filter text box, you can limit the display to items that match the criteria that you enter. See “Filtering Displays” on page 596 for details.
On this screen, the following field names are available:
date: Matches values in the Date field (UTC).
volume: Matches values in the Volume field.
filer: Matches values in the Filer field.
signature: Matches values in the Signature field.
Generating Incident Reports
You can generate Incident Reports for each incident in the Incident Management list. The report is generated when the “Generate Report” button is pressed, and includes events up until that time. Pressing the “Generate Report” button again causes the report to be regenerated, including all events up until the new time. Thus, you can see changes in the incident report if ransomware is still active in your environment
Tip: The “Generate Report” button is only available if both the “Ransomware Detection” and “Ransomware Mitigation and Reporting” license settings are enabled.
To generate an Incident Report for a ransomware incident, follow these steps:
On the Incident Management list, click the Generate Report button
.png)
in the same row as the incident.The Ransomware Incident Report appears on a new browser tab.
Figure 11-7: Ransomware Incident Report.
To print or download the Ransomware Incident Report, click Print.
To return to the Incident Management page, exit the Ransomware Incident Report.
Contents of Incident Reports
The Incident Report includes details of affected volumes, Edge Appliances, files, and SMB clients.
Tip: A complete list of affected files along with additional details can be found in the ransomware violations log file located in the .nasuni/ransomware_violations directory at the root of the volume.
Tip: To access the hidden .nasuni directory on an SMB share, you must be an administrative user.
Because the .nasuni directory is located in the root directory of the volume, in order to access the .nasuni directory, you must create a share to the root directory of the volume. In addition, this hidden directory must be visible on the client machine. For example, in Windows, “Show hidden files, folders, and drives” must be enabled, and “Hide protected operating system files” must be disabled.
Each Ransomware Incident Report includes the following sections:
Attack Summary paragraph:
Figure 11-8: Attack Summary paragraph.
The Attack Summary paragraph includes the following information:
Date and time (UTC) of attack.
Type of attack.
Affected volume.
The Edge Appliance that the incident was detected on.
Number of clients affected.
Number of files affected.
Number of SMB clients blocked from accessing the Edge Appliance.
Attack Summary table:
Figure 11-9: Attack Summary table.
The Attack Summary table includes the following information:
Name of the impacted volume.
Name of the Edge Appliance that the incident was detected on.
Username of the account carrying out the attack.
Detected confidence level for the incident.
Indication of clients blocked.
Number of files affected.
Signature of attack.
Event Timeline:
Figure 11-10: Event Timeline.
The Event Timeline is a graphical representation of pertinent events in the attack. The graphical representation of the timeline might be limited for special reasons, but the Timeline Details table includes every event. The following information can be included, depending on the specific conditions:
Date and time (UTC) of the last snapshot before the start of the ransomware attack.
Date and time (UTC) of the first ransomware activity detected. An attack is possible, but has not been confirmed yet at that time.
Date and time (UTC) of an attack detected from an attacking client. It has been confirmed that the first ransomware activity detected is actually part of an attack.
Date and time (UTC) when SMB client blocked.
Date and time (UTC) when Targeted Restore completed. See “Ransomware: Targeted Restore” on page 550.
In addition, a table of details of the Event Timeline is included.
Timeline Details table:
Figure 11-11: Timeline Details table.
The Timeline Details table is a complete listing of all events that occurred in the ransomware attack in chronological order. While the Event Timeline might not show every event (if there is not enough space), the Timeline Details section of the report shows every event that was part of the incident.
The following information can be included, depending on the specific conditions:
Date and time (UTC) of the last snapshot before the start of the ransomware attack.
Date and time (UTC) of the first ransomware activity detected. An attack is possible, but has not been confirmed yet at that time.
Date and time (UTC) of an attack detected from an attacking client. It has been confirmed that the first ransomware activity detected is actually part of an attack.
Date and time (UTC) when SMB client blocked.
Date and time (UTC) when Targeted Restore initiated. See “Ransomware: Targeted Restore” on page 550. This is not displayed in the Event Timeline.
Date and time (UTC) when Targeted Restore completed. See “Ransomware: Targeted Restore” on page 550.
Date and time (UTC) when Targeted Restore canceled. See “Ransomware: Targeted Restore” on page 550. This is not displayed in the Event Timeline.
Date and time (UTC) of unsuccessful Targeted Restore, along with possible reasons. See “Ransomware: Targeted Restore” on page 550. This is not displayed in the Event Timeline.
Ransomware Detection Confidence Level table:
Figure 11-12: Ransomware Detection Confidence Level table.
The Ransomware Detection Confidence Level table includes the following information:
The Detected Confidence Level of the incident.
The configured confidence level for incident creation.
The configured confidence level for mitigation (blocked clients).
Tip: Comparing the detected confidence level with the configured confidence levels can be useful in adjusting the configured confidence levels.
Detected Clients Status table:
Figure 11-13: Detected Clients Status table.
The Detected Clients Status table includes the following information:
IP address of each detected SMB client.
Status of the detected SMB client: Blocked or Not Blocked.
If blocked, an indication of whether blocked by Incident Mitigation or by the administrator using the NMC API.
If blocked, date and time (UTC) the SMB client was blocked.
Affected Files table:
Figure 11-14: Affected Files table.
The Affected Files table includes the following information about the first 100 impacted files since incident creation:
Timestamp: Date and time (UTC) of the timestamp of the file.
Event Type: Type of the event that triggered the incident: Rename, Read, Write, New File, or Delete File.
Path: Path to the affected file.
Deleting Ransomware Incidents
After obtaining all the information about the ransomware incident, you can delete the incident. To delete a ransomware incident, follow these steps:
Select the ransomware incident that you want to delete from the list.
Figure 11-15: List of ransomware incidents.
Click Delete
.png)
. The Delete Ransomware Incidents dialog box appears.
Figure 11-16: Delete Ransomware Incidents dialog box.
In the Confirmation Phrase text box, type Delete Incidents.
Click Delete Ransomware Incidents. The selected ransomware incidents are deleted.
Ransomware: Targeted Restore
You can initiate a Targeted Restore for a ransomware attack incident on the Incident Management page. Rather than unnecessarily restoring the entire volume, Targeted Restore only restores the files that a ransomware incident has affected. This can save significant time in recovery, and get back the files that users need much more quickly.
Ransomware generally follows one of two practices when encrypting files:
Encrypts the file in place and renames the file after the encryption is complete.
In this case, Targeted Restore knows the original file name, because it is tracked as part of the rename operation, so performing the restore is straightforward.
Alternatively, creates a new file with the encrypted contents of the original file and deletes the original file.
In this case, Targeted Restore must reconstruct the file name based on the file events.
You can specify additional processing as part of the Targeted Restore:
Restore the affected file either to the original directory (default), or to a directory that you specify.
If a file being restored would have the same name as a file already in the volume, the file already in the volume can be backed up first. The name of the backup file would start with the word "backup" and a number, such as "backup0004”. This is the default behavior. To overwrite the existing file instead, you can disable this feature.
After restoring the original files, the affected files can be deleted. Files are not deleted by default.
Tip: Targeted Restore requires the “Nasuni Ransomware Protection Add-on”.
Tip: You can perform a Targeted Restore more than once on the same volume and incident, such as to address different files at different times.
A notification is recorded when a targeted recovery is initiated. Another notification is recorded when a targeted recovery completes, fails, or is canceled. These notifications are visible in NMC notifications, and are sent via email, syslog, and SNMP traps. The notifications include who initiated the recovery, the volume involved, and the Edge Appliance for the recovery.
Tip: It is not always possible to restore all files automatically. If this happens, you can use manual methods to restore the remaining files.
Tip: Only initiate one Targeted Restore at a time for each Edge Appliance. When a Targeted Restore completes for an Edge Appliance, you can initiate another Targeted Restore for that Edge Appliance.
To perform a targeted restore after a ransomware attack, follow these steps:
Click Cyber Resilience, then click Incident Management. The Incident Management page appears.
Figure 11-17: Incident Management page.
For the incident that you want to perform a Targeted Restore on, click Targeted Restore
.png)
. The Targeted Ransomware Restore dialog box appears.
Figure 11-18: Targeted Ransomware Restore dialog box: Ransomware Attack Details.
The Ransomware Attack Details include the following information:
Filer Description: The name (or Description) of the Edge Appliance involved in the ransomware attack.
Volume Name: Name of the volume involved in the ransomware attack.
# of Files Encrypted: The number of files encrypted during the ransomware attack.
Restore Point: Date and time of the most recent snapshot before the ransomware attack.
Start of Attack: Date and time of the ransomware attack.
Review the Ransomware Attack Details to ensure that they are correct for this Targeted Restore session. For example, if these are not the correct volume and Edge Appliance, click Close and select the correct volume and Edge Appliance.
After restoring the original files, the encrypted versions of the files can be deleted. Select Delete Ransomware Files. Files are not deleted by default.
If a file being restored would have the same name as a file already in the volume, the file already in the volume can be backed up first. Select Backup Existing. This is the default.
The name of the backup file would start with the word "backup" and a number, such as "backup0004”.
To change the destination directory of the restored file, click the Destination box, and navigate to the desired destination directory.
To proceed with the Targeted Restore, click Restore Files. Alternatively, click Close.
If you clicked Restore Files, the Confirm Targeted Ransomware Restore dialog box appears.
Figure 11-19: Confirm Targeted Ransomware Restore dialog box.
To proceed with the Targeted Restore, type Perform Restore in the Confirmation Phrase
text box, then click Restore Files. Alternatively, click Close.
The Targeted Restore proceeds. The Incident Management page displays the percentage of the process complete.
Figure 11-20: Incident Management page: percent complete.
Tip: To cancel the Targeted Restore, click the Cancel Restore button
. A prompt appears for you to confirm canceling the Targeted Restore.
Note: If there are any issues with the Targeted Restore, messages appear in Notifications.
The affected files are restored from cloud object storage. The Incident Management page indicates when the process is complete.
Figure 11-21: Incident Management page: complete.
Tip: It is not always possible to restore all files automatically. If this happens, you can use manual methods to restore the remaining files.
Tip: A log of the restore operation is available in the restore_results directory located in the
.nasuni directory at the root of the volume.
Log file names are of the form targeted_restore_results-YYYY-MM-DD-HH-MM-SS.csv There is one entry per file detected.
Each entry includes the file path, the status of the restoration, the encrypted file deleted, and details about any errors encountered during the restore operation.
Tip: To access the hidden .nasuni directory on an SMB share, you must be an administrative user.
Because the .nasuni directory is located in the root directory of the volume, in order to access the .nasuni directory, you must create a share to the root directory of the volume. In addition, this hidden directory must be visible on the client machine. For example, in Windows, “Show hidden files, folders, and drives” must be enabled, and “Hide protected operating system files” must be disabled.
Ransomware: Blocked Clients Page
When Incident Mitigation is enabled (see step 5 on page 539), and a ransomware incident occurs (see “Ransomware: Incident Management Page” on page 541), Nasuni configures a DENY firewall rule to block the attacking SMB client IP address from connecting with the Edge Appliance. SMB clients that have been blocked in this way are listed on the Blocked Clients page.
Note: Only SMB clients can be blocked. NFS clients cannot be blocked because auditing does not log the NFS client's IP address.
When SMB clients are blocked, an alert is generated.
Figure 11-22: Alert when SMB client blocked.
You can manage blocked SMB clients using the Blocked Clients page. For example, you can unblock selected SMB clients after resolving a ransomware incident.
Tip: The NMC API can also be used to manage blocked SMB clients, including these capabilities:
Block SMB clients:
POST filers/:filer_serial/blocked-clients/List blocked SMB clients for an Edge Appliance:
GET /filers/:filer_serial/blocked-clients/Get details of a specific blocked SMB client:
GET /filers/:filer_serial/blocked-clients/:blocked_ip/Delete a blocked SMB client:
DELETE /filers/:filer_serial/blocked-clients/:blocked_ip
To view the list of Blocked Clients, click Cyber Resilience, then click Blocked Clients. The Blocked Clients page appears.
Figure 11-23: Blocked Clients page.
For each blocked SMB client, the following information appears:
IP Address: The IP address of the SMB client that is the source of the ransomware attack.
Filer: The Edge Appliance that the attack was detected on and that the client is blocked from accessing.
Blocked By: What blocked the SMB client, from the following:
Mitigation Policy: The SMB client was blocked because of Incident Mitigation being enabled and a ransomware incident occurring.
<NMC API user name>: The SMB client was blocked by using the NMC API. Includes the user name of the administrator making the API request.
Blocked Date: The date and time (UTC) that the SMB client was blocked.
Unblocking Blocked Clients
Blocked SMB clients can be unblocked.
Tip: To block SMB clients (using the NMC API) or to unblock blocked SMB clients, you must have the “Manage Network Settings” permission.
To unblock blocked SMB clients, follow these steps:
Select the blocked SMB clients that you want to unblock from the list.
Click Unblock
.png)
. The Unblock Client dialog box appears.
Figure 11-24: Unblock Client dialog box.
To unblock the selected blocked SMB clients, click Unblock Clients. Alternatively, click Close.
The selected blocked SMB clients are unblocked.
Antivirus Service
You can view or change the Antivirus Protection setting of volumes.
Antivirus Protection protects against viruses and other malware by scanning every new or modified file. The entire file is scanned, not just the changed part of the file. Files are scanned when included in a snapshot, but not during Global File Lock processing.
If a file has no antivirus violations, that file is allowed to be part of a snapshot and to be protected in cloud object storage.
If a scanned file is found to be infected, the authorized administrator can ignore the infection or delete the file.
For example, if an administrator deliberately ignores an infected file, that file is allowed to be part of the snapshot and included in cloud object storage.
Alternatively, if a file is infected, the administrator can delete that file, so that file is not part of the snapshot and is not protected in cloud object storage.
Tip: You can also delete infected files or ignore antivirus violations using the NMC API. This can be useful for automating tasks and for enhancing security. For more details, see Nasuni API Documentation.
You can enable or disable Antivirus Protection at the volume level.
The Antivirus Protection setting is inherited by connecting Nasuni Edge Appliances. For example, if the Boston Nasuni Edge Appliance enables Antivirus Protection for a volume, and the London Nasuni Edge Appliance connects to that volume, then Antivirus Protection is also enabled for that volume on the London Nasuni Edge Appliance. In such a case, there might be a brief time lag before the London Nasuni Edge Appliance inherits that setting.
However, the actual schedule of Antivirus Protection is NOT inherited by connecting Nasuni Edge Appliances. If you change the schedule of Antivirus scans on the volume on the owning NEA, a remote NEA connected to this same volume does not inherit those changes. The remote NEA continues to use the previous schedule.
Nasuni Edge Appliance Antivirus Protection uses the Clam AntiVirus (ClamAV®) open-source antivirus engine and updates the antivirus definition files multiple times daily. Synchronization with the ClamAV virus database occurs within four hours of an update to that database. If you encounter a false positive, you can report the false positive on Clam AntiVirus’s Report False Positive page.
Nasuni Antivirus Protection scans files and container files (such as .zip files). However, it does not detect malware in the following circumstances:
Encrypted or password-protected files or container files.
Files or container files larger than 25 MB.
Container files that contain any file larger than 25 MB.
Container files where the combined size of the container file itself, plus the size of all contained files, is larger than 100 MB.
For more information, see Antivirus Service.
Note: Antivirus Protection is enabled in your license by default. To disable this feature, contact Nasuni Support.
Tip: To administer the settings of Antivirus Protection, you must have the "Manage Cyber Resilience Services" permission.
Important: Using Antivirus Protection has the following effects on performance and data propagation:
Because files must be scanned before they are moved to cloud object storage, this can slightly delay data propagation and file synchronization.
Using Antivirus Protection generally has a low impact on performance, because files are scanned in batches. However, since files do not proceed to cloud object storage until they are scanned, this can delay data propagation and file synchronization until after the scheduled scan occurs.
Performance might be impacted while using the “Check files immediately” option, because these files are scanned upon closing rather than as part of a batch of files.
Tip: To receive email notifications of violations, enable “Violation Alerts” for the user's group.
Note: Antivirus violations are displayed in the Nasuni Edge Appliance or Nasuni Management Console, and are also logged to the .nasuni/av_violations/ folder of the volume. In the Antivirus log file, each violation entry is of the form:
<DATE> <TIME> <TIMEZONE> New AV violation: <SIGNATURE> found: <PATH>
Example:
2023-09-08 14:32:33 GMT New AV violation: EicarSignature found: /ei.txt
Tip: To access the hidden .nasuni directory on an SMB share, you must be an administrative user.
Because the .nasuni directory is located in the root directory of the volume, in order to access the .nasuni directory, you must create a share to the root directory of the volume. In addition, this hidden directory must be visible on the client machine. For example, in Windows, “Show Hidden Files, folders, and drives” must be enabled, and “Hide protected operating system files” must be disabled.
Important: If an open file has Global File Lock enabled and is saved, that file is protected in the cloud outside of the regular snapshot, even if that file is still open. However, if Antivirus Protection is enabled, the open file is not immediately protected in the cloud, because Antivirus Protection must check that the file has no infections before moving the file to cloud object storage. In this case, after Antivirus Protection ascertains that the file has no infections, then that file is protected in the cloud.
If a file does have antivirus infections, and those infections are marked “Ignore”, then the file experiences the usual Global File Lock processing.
For details of Global File Lock processing, see Global File Lock.
For details of Antivirus Protection processing, see Antivirus Service.
Antivirus Services Page
You can enable and configure Antivirus Services for volumes.
Click Cyber Resilience, then click Antivirus Services. The Volume Antivirus Services page appears.
Figure 11-25: Volume Antivirus Service page.
For each volume, the following information appears:
Filer: The Nasuni Edge Appliance that contains the volume.
Antivirus Protection: Indicates if the Antivirus Service is enabled for the volume: Enabled
(Antivirus Service is operational) or Disabled (Antivirus Service is not operational).
Check Immediately (only for volumes on which the SMB (CIFS) protocol has been enabled): Indicates whether the Antivirus Service should check files as they are written to the Nasuni Edge Appliance, in addition to the specified Antivirus Service schedule: Check immediately.
Antivirus Schedule: If Antivirus Service is enabled, the days of the week and the time during which to perform Antivirus Service. If Antivirus Service is disabled, displays “--”.
Antivirus Frequency: If Antivirus Service is enabled, the frequency of performing Antivirus Service during the Antivirus Schedule. If Antivirus Service is disabled, displays “--”.
Editing Antivirus Service settings
To edit Antivirus Service settings, follow these steps:
On the Volume Antivirus Service page, select the volumes in the list whose Antivirus Service settings you want to edit.
Click Edit Volumes. The Edit Antivirus Service dialog box appears.
Figure 11-26: Edit Antivirus Service dialog box.
To copy settings from another volume, select the volume from the Copy Settings drop-down list. The settings from that volume appear in the dialog box.
To enable the Antivirus Service, set the Antivirus Protection setting to On. To disable the Antivirus Service, set the Antivirus Protection setting to Off.
If you select On, then configure the Antivirus Scanning Schedule by performing these steps:
To select or deselect all days for Antivirus Service scanning, click Select/Deselect All.
Select the days for Antivirus Service scanning to occur (for example, Sunday to Saturday).
For volumes on which the SMB (CIFS) protocol has been enabled only, to check files as they are written to the Nasuni Edge Appliance, besides during the specified Antivirus Service schedule, select the Check Files Immediately check box. Otherwise, clear the Check Files Immediately check box.
Note: Enabling “Check Files Immediately” can have a small effect on performance.
To specify scanning 24 hours a day, select the 24 Hours/Day check box.
Alternatively, select the hour for scanning to start from the Start drop-down list. Select the hour for scanning to stop from the Stop drop-down list.
Select the frequency for Antivirus Service scanning to occur from the Frequency drop-down list. If the volume does not have Remote Access enabled, your choices are 1, 2, 4, 8, 12, or 24 hours. If Remote Access is enabled, your choices are 1, 5, 10, 15, 25, or 30 minutes, or 1,2, 4, 8, 12, or 24 hours.
Note: Volumes that do not have Remote Access enabled only have Frequency options of hours, not minutes. For Antivirus Service scanning more frequently than every 1 hour, enable Remote Access for the volume.
Note: In addition to the specified scanning schedule, a scan is performed automatically with every snapshot.
Changed files must be scanned for antivirus before being written to the cloud. That can occur either by a scheduled Antivirus Service scan or during the Antivirus Service scan that runs as part of a snapshot or Global File Lock processing. Files that are scanned during a scheduled scan, and that have not changed before a snapshot, do not need to be rescanned as part of the snapshot process.
To change the Antivirus Service settings, click Save. The volume appears in the list on the
Volume Antivirus Services page.
Alternatively, to exit the dialog box without changing the Antivirus Service settings, click Close.
Antivirus Violations Page
The Antivirus Violations page provides virus infection information on the volume level.
If a file has no antivirus violations, that file is allowed to be part of a snapshot and to be protected in cloud object storage.
Infected files are flagged; however, you can choose to ignore a violation. Files with ignored violations are included in the snapshot and become protected in cloud object storage, similar to non-infected files.
If a file possesses an antivirus violation, and the administrator does not ignore the violation, that file is excluded from the snapshot and the cloud object storage protection.
Nasuni Edge Appliance Antivirus Protection uses the Clam AntiVirus (ClamAV®) open-source antivirus engine and updates the antivirus definition files multiple times daily. Synchronization with the ClamAV virus database occurs within four hours of an update to that database. If you encounter a false positive, you can report the false positive on Clam AntiVirus’s Report False Positive page.
Click Cyber Resilience, then click Antivirus Violations. The Antivirus Violations page appears.
Figure 11-27: Antivirus Violations page.
Tip: This function can also be performed using the NMC API. For details, see NMC API.
The Antivirus Violations page displays a list of SMB (CIFS) and NFS volumes and FTP/SFTP directories on managed Nasuni Edge Appliances that have antivirus violations.
The following information appears for each volume in the list:
Volume: The name of the volume.
Filer: The Nasuni Edge Appliance that owns the volume.
Filepath: The path to the file with the antivirus violation.
Virus Name: The virus that was detected.
Filtering the Display
Using the Filter text box, you can limit the display to items that match the criteria that you enter. See “Filtering Displays” on page 596 for details.
On this screen, the following field names are available:
volume: Matches values in the Volume field.
filer: Matches values in the Filer field.
filepath: Matches values in the Filepath field.
virus: Matches values in the Virus Name field.
Reviewing antivirus violations
If a file has no antivirus violations, that file is allowed to be part of a snapshot and to be protected in cloud object storage.
Infected files are flagged; however, you can choose to ignore a violation. Files with ignored violations are included in the snapshot and become protected in cloud object storage, similar to non-infected files.
If a file possesses an antivirus violation, and the administrator does not ignore the violation, that file is excluded from the snapshot and the cloud object storage protection.
Tip: You can also delete infected files or ignore antivirus violations using the NMC API. This can be useful for automating tasks and for enhancing security. For more details, see Nasuni API Documentation.
To review antivirus violations, follow these steps:
On the Antivirus Violations page, select the volumes in the list whose antivirus violations you want to edit.
Figure 11-28: Antivirus Violations page.
For each selected file, click either Ignore or Delete
.png)
.To ignore a detected infection and permit the infected file to enter cloud object storage, click Ignore. The Ignore Infected Files dialog box appears. Click Ignore Infected Files. The infected file is permitted to enter cloud object storage.
Figure 11-29: Ignore Infected File dialog box.
Note: The Nasuni Management Console records the name of the authorized administrator who authorizes ignoring the infected file, in the
.nasuni/av_violations/folder of the volume.Alternatively, to delete the infected file and prevent it from entering cloud object storage, click Delete
.png)
. The Delete Infected Files dialog box appears. To delete the infected files, click Delete Infected Files.
Figure 11-30: Delete Infected Files dialog box.