cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

AR restoring files deleted properly - what to exclude?

Hi,

we have an issue with Anti-Ransomware / Remediation.

The Windows-Admin was cleaning up some unnecessary user-profiles from clients with standard windows processes.

A bit later, users reported that they got a popup from Anti Ransomware and that dozens of files were restored.

Anyone else experienced this behavior? 

Is there any way to exclude this properly, without making the system vulnerable by excluding system processes?

Thanks & BR

0 Kudos
5 Replies
Employee++
Employee++

Re: AR restoring files deleted properly - what to exclude?

Hi Amir,

we did several fine tunings on the "mass-file modification" behavioral detection mechanism suring the latest releases.

Are you running the latest version 80.81 ?

Endpoint Security Homepage 

Regards Thomas 

0 Kudos

Re: AR restoring files deleted properly - what to exclude?

Unfortunately not yet - I've seen today that it should be released, but the download link is dead.

BR,

Amir

0 Kudos
Employee++
Employee++

Re: AR restoring files deleted properly - what to exclude?

Hi Amir,

I notified the SK owner that the download links are broken.


Regards Thomas

0 Kudos
Olga_Kuts
Silver

Re: AR restoring files deleted properly - what to exclude?

Hello!

Have the similar problem.

Are there recommendation for Anti-Ransomware exceptions? There are legitimate programs that change a lot of use files, it's logical to add them to exceptions. But the custome wants to get recommendations from the documentation.

0 Kudos
Employee++
Employee++

Re: AR restoring files deleted properly - what to exclude?

Hi Olga,

we have already embedded exclusions for processes - so best-practise up to this is already included.

For other software this is as you wrote specific to the software behavior itsself - like massive amount of file changes etc ...

So the best approach is testing SBA on a test client with all the software you need to find out if you must include additional exclusions ...

Regards Thomas