Administration Guides

Cyber Recovery Manager



This new recovery solution extends Ransomware Defender to fully automate data recover from a cyber attack.  The solution is integrated into the event and event history tabs in Ransomware Defender Icon.   Ransomware Defender caches a history of audit events which allows reaching back in time before an attack is detected to review an recover historical data that is before the detection.  This data is presented in the recovery manager and selective single file or path based filters allows targeted recovery.

Customers now have an end to end solution from detection, response, recovery that includes automation at all steps in the attack life cycle.     This new version also displays recoverable data (data that has a valid usable snapshot AND the file is present in the snapshot),   un-recoverable data (data that has no valid usable snapshot to recover data),  recovered data (data that has already been recovered by recovery manager).

A key requirements in all cyber incidents is post mortem analysis and forensics.  Cyber Recovery Manager includes an automated quarantine feature to move affected files into a hidden location for analysis to review the files at a later date.  This also removes potentially harmful files from the file system so they are not visible to end users.


  1. Release 2.5.9 or later
  2. Requires Eyeglass DR license for inventory and snapshot management

How to Use Cyber Recovery Manager

  1. Cyber Recovery Manager is accessed through the actions menu of an active event or event history tab.
  2. Open the actions menu of an active event
    2. Tree View - shows folders in Red indicating a file in a folder has been affected,  Use this view to browse the file system to see where the data has been impacted.
    3. Filters - (Optional).  Select a cluster and enter a path example /ifs/data/home and then click Search on Path,  to search the affected files list of this event and only display files at the entered path and below.
    4. Recovered Status:  RECOVERABLE (default) will show all files that have a valid snapshot with the file present BEFORE the attack began.  You can change this filter to show UNRECOVERABLE (Files with no snapshot and no way to recover the data),  RECOVERED (Shows files that have been recovered already)
    6. The Recovery Manager tracks that status of the recovery and displays statistics
      2. Total files in the incident, Recoverable files based on snapshot analysis,  unrecoverable (files that cannot be recovered),  Recovered (files already recovered)
    7. How to Recover files
      2. The columns:   
        1. The files section shows path to the file, cluster name, the audit event action associated to the file,  The snapshot name that will be used for recovery,  the date and time the snapshot was taken and the recovery status (check mark indicates recovered successfully).
      3. Select individual files OR click Select page (files displayed) OR select All (to select all files on all pages).  You can also use the page navigation buttons to view all the files first 
      5. Once you select some files and click recover button the warning above is shown to confirm.  Click Yes to proceed
      6. The Show running Jobs is displayed to see the status of the recovery job.
    8. The recovery Job details
      1. Each file in the recovery job will show the status of moving the file to quarantine and replacing the original file from the snapshot back into the production file system path.
    9. The Cyber Recovery Life Cycle
      1. The tool can be used on different days to work on a recovery.  The progress of the recovery can be seen by adding Recovered to the filter list to see the check mark
    10. NOTE:  The data in the cache is not permanent and will be rolled off and deleted after several days,  recovery efforts should be completed before the cache of files in the history cache.

How to Complete Forensics of Quarantine Data

  1. All compromised files are moved during recovery to a quarantine location in  /ifs/.ransomwaredefender/corrupted/
  2. Under this location each SID of each user is created as a sub folder and the full relative path to each file is created to allow additional scanning with security tools or possible decryption tools to operate only on the affected files.
  3. This also acts as a map of the data that was attacked and allows a cyber recovery team to view the attack pattern of the attacker in the file system.
  4. This quarantine location is outside any SMB or NFS exports and hides the data in a secure location.
  5. An SMB share could be created with read-only access to the data for cyber recovery teams to analysis the data

© Superna Inc