Superna Eyeglass® Ransomware Defender Feature list

Release 2.5.8 (2.5.7.2 update 2 will be delivered in 2.5.8)

  1. New Ransomware Behavior Detectors

    1. 2 new behavior detectors in this release adding ​additional protection for file based attacks.

    2. New detectors support learning mode and flag as false positive.

    3. On upgrade it is possible new detections will occur.  Recommended to switch to learning mode after upgrade. NOTE: Learning mode offers full file system protection.  

  2. Granularity of protective snapshots

    1. Snapshot quota - a limit of snapshots that can be created at any one time by Ransomware Defender.  The limit will be applied after expired snapshots created by Ransomware Defender and will allow additional snapshots to be created up-to the configurable limit.  Default snapshot expiry in 48 hours

    2. Critical Paths - This will allow listing paths to get snapshots if any detection is found anywhere in the file system.   This will address environments that use ACL security vs share level security and allow protection of critical application data if Ransomware is detected in other parts of the file system.

      1. Modes

        1. snapshot only critical paths from a detection ​

        2. snapshot critical paths and user SMB share paths per user

        3. snapshot only SMB share paths per user

  3. Airgap Enhancements​​​

    1. Auto detection of the Airgap nodes for in-band vault alarm management​

    2. Enterprise vault OVF with automated log push during airgap syncs

    3. Airgap basic automation API for external on demand airgap job execution

    4. Smart Airgap API available for 3rd party integration or monitoring the threat level from SIEM tools.

    5. Airgap maintenance request CLI command (disabled by default) to allow a request to open the vault for x minutes for maintenance activity on the vault. 

Release 2.5.7.1 Update 1 GA

  1. Robustness

    1. Automatic stale mount detection on ECA nodes will reconnect the mount if network issues cause NFS mount issues

    2. Turbo Audit disk quota for audit data rollover processing to ensure the disk will not fill due to many rollover files being processed.  Automatic rate limiting of rollover file processing.

    3. New threat detectors around file renames that cover more potential scenarios ​

​Release 2.5.7 Ransomware Defender 

  1. AirGap 2.0 - A complete solution to protect your data with protractive behavior monitoring of the source data access combined with Smart AirGap technology to manage SyncIQ policy replication to a 3rd AirGap Isilon.

  2. Smart AirGap is unique solution to Ransomware Defender that suspends copy operations when an active threat to your data is detected.  Unlike other solutions that will copy encrypted data to the offline copy.

  3. Ransomeware Defender manages the AirGapped Isilon in-band  over the replication network ensuring your isolated Isilon is never exposed on your network.

  4. Automated AirGap Management ensures the AirGap is open and closed automatically before and after SyncIQ block level incremental copies complete.  Fastest AirGap solution allows your 3rd copy to be an hour behind production.  Not days like other solutions.  

  5. Virtual AirGap manages the network to ensure your data is offline and not accessible over the network when no data sync's are in progress.

  6. New Behavior detections expands behavior analysis combined with honeypot and managed banned list of 2500+ extensions provides the highest level of data protection.

  7. Support for Authenticated User SMB Share permissions will now lock on shares that grant access to users using this well known AD group.

  8. Major Feature Updates

    1. Learning Mode.  Automates the process of monitoring user behavior and apply settings needed to adjust settings needed.  This will manage user behaviors and extension based detections from the banned list of files.​

    2. Monitor mode by user, path or IP address.  Removes the need to whitelist and allows monitor mode applied to a path, IP address or an AD user name.  This retains detection, and snapshots without any lockout.   This provides new method that will replace whitelisting in most cases.

    3. Updated threat detector settings for user behavior detection - new detection vector

    4. Banned file list versioning 

      1. Multiple file versions allows transitioning to a new file version with latest extensions or roll back to a previous version​

    5. Banned file hosted in a new location compatible with phone home URL's​

      1. Eyeglass deployments that use phone home will now be able to leverage phone home url to retrieve the banned list to simplify firewall and url white listing.​

    6. Allowed File Extension List Redesigned to File Filter Feature

      1. The Banned file list is now managed get by Eyeglass and not the ECA.  This means proxy and phone home will allow retrieving the updated dated file list from the Internet.​

      2. Now all banned files are displayed with a searchable interface.  Each file can be enabled, disabled or monitor mode status.

      3. Ability to add custom file extensions is supported.

      4. CLI command to convert whitelist entries to new monitor mode settings.

    7. Dual Vector Warning detection - A new behavioral detection option looks for different behaviors within the Warning severity.  This new option will add one additional pattern of suspicious user activity that is designed to ignore spikes in user detection signals and provides a new analysis vector on user IO behavior to generate warnings.

Key Features previous releases:

  1. No HDFS needed!!!! We have redesigned Ransomware Defender to no longer needed HDFS. Easier to install with fewer dependancies

  2. New GUI for flag as false positive to view users that have been flagged and reset the a user to factor default detection settings

  3. Allow file list add UI for whitelisting files on the dynamic extension list

  4. SIEM Integration - audit data real-time syslog forwarding