Setting Up CTERA Ransom Protect
  • 2 Minutes to read
  • PDF

Setting Up CTERA Ransom Protect

  • PDF

Article summary

Note

To prevent false positive events, CTERA recommends initially enabling CTERA Ransom Protect in Ransomware Detection mode. In this mode, CTERA Ransom Protect only monitors the traffic without blocking malicious users. After the system has proven to work well for a while, you can then enable Ransomware mitigation. If you encounter false positives, refer to Coping with False Positive Detections for guidance.

To enable Ransom Protect:

  1. In the Configuration view, select Security > Ransom Protect in the navigation pane.
    The Ransom Protect page is displayed.
    image.png
  2. Click Settings.
    The Ransom Protect Settings window is displayed.
    image.png
  3. Check Ransomware Detection.
    image.png
  4. Leave the Advanced settings with the default values unless you encounter too many false positives. If this happens, see Coping with False Positive Detections to resolve the issue.
    Note

    The advanced settings default values are based on extensive testing but can be tuned if needed.

    • Detection Threshold is the number of suspicious events that must occur before ransomware protection is triggered. If the threshold is set too high, an attack could cause more damage than necessary or may go undetected. On the other hand, if it's set too low, the number of false positive detections may increase.
    • Detection Interval is the number of seconds between checks on user behavior records for potential attacks. Choosing a lower value leads to quicker ransomware detection, but it may also increase CPU load.
  5. Click Save.

CTERA Ransom Protect is active.
image.png

Note

To disable CTERA Ransom Protect, click Settings in the Ransom Protect page and uncheck Ransomware Detection and then click Save.

Coping with False Positive Detections

If you find that you are getting too many false positive results, you can reduce this number by Tuning the Detection Threshold or Excluding Specific Users From Detection.

Tuning the Detection Threshold

The Detection Threshold is the number of suspicious events that must occur before ransomware protection is triggered. To reduce the detection sensitivity, and as a consequence, the number of false positive results, you can increase the value of Detection Threshold.

Excluding Specific Users From Detection

If you get false positive results for specific users, you might find that some users perform actions that are acceptable within the organization but would trigger a false positive result. You can exclude these users from having their actions checked by CTERA Ransom Protect.

To exclude users from ransomware detection:

  1. In the Configuration view, select Security > Ransom Protect in the navigation pane.
    The Ransom Protect page is displayed.
    image.png
  2. Click the number below Exclude Users.
    The Specify Group Name window is displayed.
    image.png
  3. Click Next.
    The Select Group Members window is displayed.
    image.png
  4. Select the user to exclude from ransomware detection.
    1. Select Local Users, Domain domainName Users, or Domain domainName Groups.
      image.png
    2. In the Quick Search box start entering the name of the user or group to exclude or click ... and select the user from the list.
  5. Click Next.
    The Wizard Completed window is displayed.
  6. Click Finish.

The user is excluded from ransomware detection.
image.png
A user that has been excluded from being detected can be removed from the excluded group (for example if the user leaves the organization).

To remove a used from the Excluded Users group:

  1. In the Configuration view, select Security > Ransom Protect in the navigation pane.
    The Ransom Protect page is displayed.
  2. Click the number below Exclude Users.
    The Specify Group Name window is displayed.
    image.png
  3. Click Next.
    The Select Group Members window is displayed.
    image.png
  4. Select Local Users, Domain domainName Users, or Domain domainName Groups and click the image.png icon next to the user to remove from the list.
    The user is removed from the exclude list.

Was this article helpful?