SECURITY Administrators
NAVIGATION
NOTE File Protection Ransomware Detection & Management is supported on File Protection Server and File Protection Desktop for Windows and Mac 7.4 or later, but we recommend that you use the most recent versions to enjoy the best possible user experience.
The Incident Detail provides all the information and management tools you need to handle team ransomware incidents detected by File Protection.
IMPORTANT This feature is designed to prevent ransomware-encrypted files from being backed up and to minimize the time it takes to revert to your last known-good backup set. If you have a confirmed ransomware incident, we recommend that you revert the affected files, recycle the device via File Protection, completely uninstall File Protection from the device (refer to Install or uninstall File Protection Desktop), scrub the device of all malware, reinstall File Protection, and restore the files from the service.
On this page, you can review incident details, confirm or ignore the incident, generate a report, track the incident through its lifecycle, revert affected files and export relevant information about them, review the status of affected devices, and drill to the Device Detail page for each device.
This page is comprised of four sections: Incident summary, Incident details, and(Revert) Affected Files
NOTE Some sections will be expanded or collapsed by default, depending on the current status of the incident.
Incident summary
This section, located at the top of the page, displays the following general information about the incident:
| Area | Definition |
|---|---|
| Name and Status | Displays the name of the incident, which is comprised of the incident type and a unique system-generated alphanumeric code. Also displays the current status of the incident. Possible statuses are: New, Open, Ignored, and Completed. |
| Source | Displays the name of the device on which suspicious activity was detected, as well as the current device status. It also displays the name and email address of the device owner. Click anywhere in this area to open the Device Detail. |
| Resources Affected | This area displays the number of files affected by the incident. |
Incident details
This section, located at the top of the page, displays information about the reasons the incident was triggered, our confidence score on the validity of the incident, and a timeline summarizing incident handling. The areas that display depend on the current status of the incident. All areas that can possibly be displayed are defined below:
| Heading | Definition |
|---|---|
| Incident Event Timeline | |
| Incident Started | The number files affected and a description of the changes. |
| Source device quarantined | The name and owner of the device that has been quarantined due to a suspected ransomware attack. |
| Incident ignored | The name of the user who marked the incident Ignored. The name of the device added to the Security Excluded Devices list. |
| Device released from Quarantine | The name of the device released from quarantine and the name of the user who released it from quarantine. |
| Ransomware attack confirmed | The name of the user who confirmed the ransomware attack. |
| Affected files reverted | The number of files reverted, the name of the user who reverted them, and the version dates they were reverted to. |
| Incident marked complete | Name of the user who marked the incident complete. |
| Device recycled | Name of the recycled device and the user who recycled it. |
| Confidence Score | |
| Confidence Score | This rating, calculated by the system, indicates the level of confidence we have that this incident is an actual security incident. |
(Revert) Affected Files
This section list all the files affected by the ransomware incident and offers the opportunity to export the information or, when applicable, to revert the files to their state prior to the incident. The columns that display depend on the current status of the incident. All columns that can possibly be displayed are defined below:
| Column | Definition |
|---|---|
| Before Revert | Describes the current state of the file. |
| After Revert | Describes the result of reverting the file to its state before the ransomware attack. |
| Revert Action | Describes the action executed by reverting the file. |
| File Name & Path | The name and path of the affected file. |
| Owner | The owner of the affected file. |
| Event Date | The date and time the change to the file was detected. |
| Reverted | The date and time the file was reverted. |
| Reverted By | The name of the user who executed the revert function. |
| Status | The reversion status of the file. The available statuses are Reverting and Reverted. If you are unsure of the status meaning, hover over the question mark icon to display a tooltip. |
How to...
Open an incident from an alert email
- If you are a designated security incident notification recipient, you will receive an email alert when a suspected ransomware attack has occurred. The email will look like this:
- In the email, click Manage Security Incident.
- Log in to File Protection.
- The Incident Detail page will open.
Confirm the incident
NOTE You can only confirm incidents with a status of New.
- Click Confirm.
- The incident status will change from New to Open and different options will be come available on the Ransomware Incident Detail page.
Ignore the incident
NOTE You can only ignore incidents with a status of New.
- Click Ignore. The popup below will open:
- Optionally, select the Disable ransomware detection for the device check box to add the device to the Excluded from Security list.
- Click Ignore.
Export the affected files list
Click the Export button in the (Revert) Affected Files area.
Revert affected files
NOTE You can only revert files for incidents with a status of Open.
- Go to the Revert Affected Files area:
NOTE The Before Revert and After Revert columns indicate what the revert function will do.
- Click the Revert button. This will open the following confirmation popup:
- Click Revert.
- Monitor the reversion process in the Revert Affected Files header line.
Complete the incident
NOTE You can only complete incidents with a status of Open.
- Click the Mark Incident Complete button.
NOTE If you complete an incident without first reverting files, the following popup will display. If you select Revert Files, you may monitor the revert process, then click the Mark Incident Complete button again.
- If you have already reverted the affected files, the following popup will display:
- Note the security guidance provided on the popup, then click Complete (Recycle Source Device).
Generate an incident report
- Click Report.
- Proceed as your normally would from the resulting print dialog.
