How to Configure Snapshot Modes (Critical Path and SMB share snapshots) and Snapshot Quotas

• Overview
• Requirements
• Considerations
• Configuration Snapshot Modes and Snapshot QuotaOpen the Ransomware Defender View from the Eyeglass desktop.
• Notes:
• Known Limitations:

Overview

This feature allows SMB user share snapshots to be disabled. This would be used when ACL security is used, and most shares use everyone's full control permissions, allowing all users access to all shares. In this configuration, many snapshots can be created for single-user detection. The other use case allows for targeting snapshots on specific critical paths in the file system when any user detection occurs and the disabling of SMB share-level snapshots. In addition, the snapshot quota specifies a limit on the number of snapshots Ransomware Defender can create.  

Requirements

1. Release 2.5.8 or later

Considerations

1. If the user share snapshot mode is disabled, the event action menu will also be disabled to create snapshot manual action on events.

Configuration Snapshot Modes and Snapshot QuotaOpen the Ransomware Defender View from the Eyeglass desktop.

1. Open the Ransomware Defender View from the Eyeglass UI.
   
   1. 
2. Click the tab Snapshots
   1. unClick Enable Share Snapshots to disable snapshots applied to user SMB shares detected by AD group permissions.
   2. Click Enable Critical Path Snapshots and then the + sign to add the path to the list of paths that will have a snapshot applied on each detection event. The snapshot will be created even if the user cannot access this path. Use this option to protect the application or any critical cluster data. Add paths as needed.
   3. Change the snapshot quota value to a higher or lower number to set the limit. Once the snapshot limit is reached, no more snapshots will be created until the snapshots expire, which allows snapshots to be taken again up to the limit. The default snapshot expiry is 48 hours.
   4. NOTE: both share snapshot and critical path can be enabled independently.
   5. NOTE: Always click submit after making changes.

Notes:

• If there are multiple clusters/platforms, the snapshot quota set in the settings is the same for each one (e.g., 500 for Isilon and 500 for Qumulo).

• The settings are global for all the platforms.

Known Limitations:

• Critical path snapshots will be taken on the default tenant unless the path is added in the following format: tenantName:/path/to/file.