Administration Guides
What's New

What's New

  1. See full feature list here.

Ransomware Defender for ECS

  1. This will require additional license keys and will allow event data from ECS to be processed by the ECA cluster to offer real time object data protection with alerting and lockout.


  1. Major Release
    1. AirGap 2.0 - A complete solution to protect your data with protractive behavior monitoring of the source data access combined with Smart AirGap technology to manage SyncIQ policy replication to a 3rd AirGap Isilon.
    2. Smart AirGap is unique solution to Ransomware Defender that suspends copy operations when an active threat to your data is detected.  Unlike other solutions that will copy encrypted data to the offline copy.
    3. Ransomeware Defender manages the AirGapped Isilon in-band  over the replication network ensuring your isolated Isilon is never exposed on your network.
  2. Supported Protocols

    1. SMB

    2. NFS

    3. S3 (The AD user mapped to the S3 keys will be locked out and the S3 IO is not blocked and no snapshot is created on the S3 path where the detection) 

  3. Automated AirGap Management ensures the AirGap is open and closed automatically before and after SyncIQ block level incremental copies complete.  Fastest AirGap solution allows your 3rd copy to be an hour behind production.  Not days like other solutions.  

  4. Virtual AirGap manages the network to ensure your data is offline and not accessible over the network when no data sync's are in progress.

  5. New Behavior detections expands behavior analysis combined with honeypot and managed banned list of 2500+ extensions provides the highest level of data protection.

  6. Support for Authenticated User SMB Share permissions will now lock on shares that grant access to users using this well known AD group.

  7. Major Feature Updates

    1. Learning Mode.  Automates the process of monitoring user behavior and apply settings needed to adjust settings needed.  This will manage user behaviors and extension based detections from the banned list of files.​

    2. Monitor mode by user, path or IP address.  Removes the need to whitelist and allows monitor mode applied to a path, IP address or an AD user name.  This retains detection, and snapshots without any lockout.   This provides new method that will replace whitelisting in most cases.

    3. Updated threat detector settings for user behavior detection - new detection vector

    4. Banned file list versioning 

      1. Multiple file versions allows transitioning to a new file version with latest extensions or roll back to a previous version​

    5. Banned file hosted in a new location compatible with phone home URL's​

      1. Eyeglass deployments that use phone home will now be able to leverage phone home url to retrieve the banned list to simplify firewall and url white listing.​

    6. Allowed File Extension List Redesigned to File Filter Feature

      1. The Banned file list is now managed get by Eyeglass and not the ECA.  This means proxy and phone home will allow retrieving the updated dated file list from the Internet.​

      2. Now all banned files are displayed with a searchable interface.  Each file can be enabled, disabled or monitor mode status.

      3. Ability to add custom file extensions is supported.

      4. CLI command to convert whitelist entries to new monitor mode settings.

    7. Dual Vector Warning detection - A new behavioral detection option looks for different behaviors within the Warning severity.  This new option will add one additional pattern of suspicious user activity that is designed to ignore spikes in user detection signals and provides a new analysis vector on user IO behavior to generate warnings.


  1. New architecture  - allows deployments without HDFS Access Zone requirement for standalone deployments.
  2. UI updates allows viewing of:
    1. Flag as false positive user settings.
    2. White listed file extensions from the master known extension list.
  3. Archived Events allow action menu to flag as false positive after an event has been archived.
  4. Security Guard feature now cleans up files on the igls-honeypot SMB share created during the simulated attack.  This clean runs on each scheduled, or on demand execution of the Security Guard feature. 


  1. Honey pot File traps
    • Detection at the folder level, allows files to be placed in specific folder locations, as detection of any type of Ransomware behavior attack that combines file access to Honeypot trap files that Defender uses to track Ransomware at the folder level, and does not depend on a specific file IO pattern for detection.
    • Uses immediate lock out logic when this detection trap is tripped.
    • Administrators can create this trap on any folder in the file system as needed.
  2. Roaming Profile Support 
    1. Roaming profiles on PowerScale shares writes files using a common Ransomware IO pattern trigger a lockout.
    2. New Relative path whitelist support allows only the directories of the profile to be added to the whitelist, and still protect data in the users profile.  Example: whitelist /ifs/data/roamingprofilessharepath/*/Appdata   This will ignore all user Appdata (the profile path) in each users home directory on a share that stores all users home directories.  

1.9.2 Has new supportability enhancements, a feature to disable real-time critical lockout action, and use only time delayed response for security events.  Full feature description in this release is available here.

1.9.3 Offers auto snapshot feature to protect paths and shares when any Ransomware has affected a user workstation.  All shares the user has access to have a snapshot applied with a 48 hour expiry.  This is enabled or disabled, with default enabled for all detection severities.  Requires SnapshotIQ license on the cluster. Full feature description in this release is available here.


  • ECA cluster now uses fluentd to collect logs and send to Eyeglass over syslog on port 5514 udp,   cluster startup enhanced to debug HDFS configuration and provide validation errors.  
  • IGLS commands expanded for settings.
  • Ability to set snapshot expiry default from 48 hours to another value with IGLS command.
  • Ability to set security guard event timer to wait for events that are delayed by PowerScale forwarding rates. IGLS command.
  • Ability to set security guard restore permissions timer to ensure restore permissions action has time to complete. IGLS command.
  • NFS host lockout supported (enabled with IGLS command, disabled by default).  This feature will remove the IP address from the client list(s) and re-save the export definition.

NOTE: DNS to IP resolution to will not be done for client lists that use FQDN.  The feature requires client list to use ip address to successfully lockout.  

  • Default disabled since this can lead to stale mounts for NFS hosts.

NOTE: Admin guide has all IGLS commands for all products.


  • Security guard delay IGLS command to delay how long Security guard waits for events to appear from the simulated attack.  This solution accommodates variation in CEE forwarding rates from the cluster to the ECA cluster.


  • Mark as false positive on security events allows AI teaching feature of user behaviors with per user behavior learning.
  • File extension whitelist feature to allow well known bad file extension to be ignored if used in your organization (IGLS commands).
  • Built in role and user for managing Ransomware Defender.

© Superna Inc