Setting Up CTERA Ransom Protect
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Setting Up CTERA Ransom Protect

  • Dark
    Light
  • PDF

Article summary

You can enable the behavioral engine and the honeypot engine independently of each other.

To enable Ransom Protect: behavior and honeypot engines:

  1. In the Configuration view, select Security > Ransom Protect in the navigation pane.
    The Ransom Protect page is displayed.
    image.png
  2. Click Settings.
    The Ransom Protect Settings window is displayed.
    image.png
  3. To enable the behavioral engine, check Behavioral Detection.
    image.png
  4. CTERA recommends leaving the Detection Threshold and the Advanced Detection Interval settings with the default values.
    The Detection Threshold is the number of suspicious events that must occur before ransomware protection is triggered. If the threshold is set too high, an attack could cause more damage than necessary or may go undetected. On the other hand, if it's set too low, the number of false positive detections may increase.
    The Detection Interval is the number of seconds between checks on user behavior records for potential attacks. Choosing a lower value leads to quicker ransomware detection, but it may also increase CPU load.
    Note

    The Detection Threshold and the Advanced Detection Interval settings default values are based on extensive testing but can be tuned if needed.

  5. To enable the honeypot engine, check Honeypot Detection.
    image.png
    Note

    You can check both Behavioral Detection and Honeypot Detection to enable both engines.

    If you change the Directory Name, value the name must be at least 16 characters long and cannot be more than 20 characters.
  6. Click Save.

Whether to enable one engine or both is dependent on factors such as the type of data.

CTERA Ransom Protect is active.
image.png

Note

To disable CTERA Ransom Protect, click Settings in the Ransom Protect page and uncheck Behavioral Detection and Honeypot Detection and then click Save. After disabling Honeypot Detection, all honeypot directories immediately disappear.

Coping with False Positive Detections

If you find that you are getting too many false positive results, you exclude specific users from detection.

Excluding Specific Users From Detection

If you get false positive results for specific users, you might find that some users perform actions that are acceptable within the organization but would trigger a false positive result. You can exclude these users from having their actions checked by CTERA Ransom Protect and these users will not see the honeypot directory, or see it as empty.

To exclude users from ransomware detection:

  1. In the Configuration view, select Security > Ransom Protect in the navigation pane.
    The Ransom Protect page is displayed.
    image.png
  2. Click the number below Exclude Users.
    The Specify Group Name window is displayed.
    image.png
  3. Click Next.
    The Select Group Members window is displayed.
    image.png
  4. Select the user to exclude from ransomware detection.
    1. Select Local Users, Domain domainName Users, or Domain domainName Groups.
      image.png
    2. In the Quick Search box start entering the name of the user or group to exclude or click ... and select the user from the list.
      image.png
  5. Click Next.
    The Wizard Completed window is displayed.
  6. Click Finish.

The user is excluded from ransomware detection.
image.png

A user that has been excluded from being detected can be removed from the excluded group (for example, if the user leaves the organization).

To remove a used from the Excluded Users group:

  1. In the Configuration view, select Security > Ransom Protect in the navigation pane.
    The Ransom Protect page is displayed.
    image.png
  2. Click the number below Exclude Users.
    The Specify Group Name window is displayed.
    image.png
  3. Click Next.
    The Select Group Members window is displayed.
    image.png
  4. Select Local Users, Domain domainName Users, or Domain domainName Groups to display the excluded users from that group and click the image.png icon next to the user to remove from the list.
    The user is removed from the exclude list.

Was this article helpful?