Software Releases

Current Release - Release Notes Ransomware Defender

Home


What’s New in Superna Eyeglass Ransomware Defender Edition Release 2.5.7


What’s New! In Superna Eyeglass Ransomware Defender Edition Release 2.5.7 can be found here.





Supported OneFS releases

8.0.0.x

8.0.1.x

8.1.x.x

8.1.2.x

8.1.3.x

8.2.0.x

8.2.1.x

8.2.2.x

9.0

9.1

9.2 (requires modification by support for Eyeglass VM before 2.5.7.1)


Supported Eyeglass releases

Superna Eyeglass Ransomware Defender Version


Superna Eyeglass Version


2.5.7.1-21161
2.5.7.1-21161
2.5.7.1-21140 2.5.7.1-21140
2.5.7-210962.5.7-21096
2.5.7-21081
2.5.7-21081
2.5.7-210682.5.7-21068
2.5.6-202632.5.6-20263

Active Directory Compatibility

Ransomware Defender VersionsSupported Active Directory Versions
2.5.7, 2.5.6 and 2.5.5 all versionsMicrosoft Active Directory 2012, 2016 


Inter Release Functional Compatibility


OneFS 8.0

OneFS 8.1
OneFS 8.2

OneFS 8.0 -

OneFS 8.1

OneFS 8.0 or 8.1 - OneFS 8.2

Threat Detection

Yes

YesYes

Untested

Untested

Security Guard

Yes

YesYes

Untested

Untested




End of Life Notifications

End of Life Notifications for all products are available here.

Support Removed in Eyeglass Release 2.5.7

1. Operating System OpenSUSE 42.3: Upgrade for OpenSUSE 42.3 is no longer supported.  Use Backup & Restore to a new OVF or in place OS Upgrade to be on a supported release.  


New / Enhanced / Fixed in 2.5.7

New in 2.5.7.1-21161

NEW - ECA OVF released with configuration files for 1, 3, 6 node deployments on the OpenSUSE 15.3 operating system. All other feature and functionality equivalent to 2.5.7.1-21140.

New in 2.5.7.1-21140

NEW - T14329 Security Guard now supports SMB3

Security Guard can now successfully authenticate with either SMB2 or SMB3.

—————————————————–

NEW - T16838 Well Known Ransomware File Extension List Versioning

Version of the banned file list can now be selected, auto selected and differenced from the Eyeglass command line. Details are available in documentation here.

—————————————————–

NEW - T17804 Learned Thresholds Management Enhancements

Following enhancements have been made to the Ransomware Defender -> Learned Thresholds window:

- search bar added to be able to search for User

- multiple entries on the Learned Threshold list can now be selected and deleted at once

Note: Known Issue T20194 Deleted items stay in delete window

—————————————————–

Fixed in 2.5.7.1-21140

T15234 igls rsw restore leaves share without permission where user permission configured

If you have assigned share permission using AD user permission directly (no AD group permission). if that user is locked out and you are unable to restore access from the GUI the igls rws restoreaccess command that would usually be used to restore access will remove the deny permission but will not put back the original user permission.

Resolution: Permission is now restored where share permission is using AD user permission directly. When using the igls rsw restore command the user must be specified in format '<DOMAIN>\<user>'.

—————————————————–

T17747 Honeypot detections incorrectly able to be added with Learned Thresholds

Either in automated Learning Mode or manual Archive as False Positive a honeypot detection can be added to the Learned Thresholds list.  This is not desired behaviour as any activity against a honeypot file is considered suspicious.


Resolution: Honeypot detections are no longer added to the Learned Threshold list in automatic learning mode or when a manual Archive as False Positive is applied to the active event..

—————————————————–

T17900 Clients column for Ransomware events may not display all IP addresses

For a security event where there are signals for the same User (account) from different IP addresses, the Clients column may not list all IP addresses.

Resolution: the Clients column now shows all IP addresses.

—————————————————–

T18170 Adding custom File Filter requires 2 Save operations

When adding a custom File Filter, the initial save shows “File filter added successfully” but at this point the custom filter is not saved yet.  The Save button on the File Filters main window must also be selected to make the change.


Resolution: Initial save after selecting now permanently saves the custom filter. Additionally

- the File Filter list now also includes a "Type" column to identify whether the entry on the list is a default or custom entry

- custom entries on the file filter list can be deleted (default entries cannot)

—————————————————–

T18913 Ransomware Defender Thresholds Advanced Mode cannot disable all detectors

In the Ransomware Defender Thresholds you cannot disable all detectors. The GUI incorrectly changes to Enforcement mode and does not allow to switch back to Advanced Mode.

Resolution: It is not possible to disable all detectors in Advanced Mode.

IMPORTANT: Advanced Mode should never be changed without support advising when to use this option. Changing these settings can disable detection without understanding the impact of the changes.
—————————————————–

Fixed in 2.5.7-21096

T19467 ECA logs missing from backup on new OVA deployment

ECA OVA missing symbolic link resulted in logs not being included in a backup.

Resolution: OVA symbolic link is now present.

New/Fixed in 2.5.7-21081

Refer to Enhancements/Fixes in previous 2.5.7 versions.

New / Enhanced / Fixed in 2.5.7-21068

New in 2.5.7-21068

NEW - Learning Mode

Automates the process of monitoring user behavior and applying settings needed to tune Ransomware Defender and reduce false positive detections.  Learning mode will manage both user behaviors and extension based detections from the banned list of files.​
  • On the Ransomware Defender Threshold window there is a new checkbox “Automatically learn from events in monitor state”.  When this is checked, once an active MONITOR event in Warning expires the following 2 updates will be made automatically:

    • Automatically “Archive as False Positive” to add the events to the Learned Thresholds (renamed from False Positive) list for a user behaviour detection.  This is the same as manually selecting Archive as False Positive from the GUI Action menu in previous releases.

    • Automatically add well known extensions to the File Filters list (renamed from Allowed Extensions) if the event was related to the detection of an extension from the banned file list.

It is the Customer responsibility to review changes made by Learning Mode and accept them or remove them to back them out.

Detailed documentation on Learning Mode is available here:

NEW - Monitor Mode by User, Path or IP Address

This new feature removes the need to whitelist and allows monitor mode to be applied to a Path, AD User account or IP Address while Enforcement mode is enabled.   This retains detection and snapshots for items on the Monitor Only Settings list without any lockout.  This will replace whitelisting in most cases.

Detailed documentation on Monitor Mode by User, Path or IP Address is available here:
Monitor Mode List Overview
How to Configure Monitor Mode List
Planning new workloads best practice

We recommend that all customers convert their existing Ignored List settings to Monitor Only Settings to take advantage of the detection and snapshot protection without lockout.  

Note:  This is likely to result in new detections that will have to be assessed.  Help on assessing an active event is available here.  You may choose to enable Learning Mode to automatically apply flag as false positive settings or the entry can be moved back to the Ignored List. 


Detailed documentation to convert your existing Ignore List entries to Monitor Only entries is available here:
How to convert whitelists to monitor mode lists



NEW - Dual Vector Warning Detection

A new behavioral detection option looks for different behaviors within the Warning severity.  This new option will add one additional pattern of suspicious user activity that is designed to ignore spikes in user detection signals and provides a new analysis vector on user IO behavior to generate warnings.

We recommend that all customers configure the 2nd Warning vector as per documentation.

Note: Adding this second vector may result in new detections that will need to be assessed and if false positive managed by flagging the event as false positive or updating the File Filters list. Help on assessing an active event is available here.


Detailed documentation available here:
Dual Vector Warning Detection in 2.5.7 or later



NEW - File Filters List

Allowed File List from earlier releases has been redesigned and is now called File Filters.  Updates from previous releases:
  • All items on the banned file list are now visible and searchable from the File Filters GUI

  • Entries on the banned file list can be enabled/disabled or put into monitor state from the GUI

  • Custom entries can be added to the banned file list

  • Archive as False Positive action against an Active Event that was related to a banned file list entry now updates the list to disable analysis for that extension

  • Banned file list is now managed from the Eyeglass appliance and new versions can be retrieved over the internet leveraging existing phone home firewall and URL whitelisting


Detailed documentation is available here:


NEW - Ransomware Events "Actions" Copy to Clipboard

The Ransomware Defender Active Events and Events History Actions window now have a Copy to Clipboard option to easily and quickly make a copy of all actions related to an event and paste into external document for easy review.

NEW - Archive as False Positive for TD7

Manually applying the Archive as False Positive action against a Ransomware event associated with an entry in the File Filters list will now disable that entry in the File Filters list instead of adding the account to the Learned Threshold list.


Fixed in 2.5.7-21068

T14798 Well Known user Authenticated Users not handled

When well known user "Authenticated User" is used for share permissions Ransomware Defender does not translate this permission into users and therefore does not affect a deny for any users against that share.

Resolution: Ransomware Defender now translates "Authenticated User" into users and can affect a lockout against a user where share permission configured with "Authenticated User". 

—————————————————–

T16830 TD 7 Extension flag as false positive will add to the UI but will not take affect 

Flagging TD 7 detection as false postive will add to the UI but will not take effect.  This is not a user behavior detection and requires a CLI command to whitelist the extension.  This is by design and a future release will block this in the GUI and will allow adding to the extension whitelist automatically from the GUI.  In the current release the CLI is required to add an extension to the whitelist.

Resolution: Now when archiving a TD 7 extension event with flag as false positive either in Learning Mode or manually, the associated extensions are automatically disabled from the banned file list so that they will no longer be considered during analysis for Ransomware. More information on managing the banned file list can be found here: How to Manage Banned File Extensions with Enforcement Modes (2.5.7 >) 

__________________________


Technical Advisories

Technical Advisories for all products are available here.


Known Issues

Threat Detection


T4151 Action Window Event Action History does not show Unreachable Cluster

In the event that a Cluster is unreachable during a Lockout operation, the Active Event state will correctly show ERROR and the Event Action History will show “Partially Locked out” but does not display the cluster that was unreachable or the shares that could not be locked out.

Workaround: Manually inspect the clusters that were locked out.  Any missing cluster under management need to review the shares and determine which the affected user has access to and then manually block access.

—————————————————–

T3732 Restored permission may be incorrect for consecutive lockouts

In the event that user share access has been locked and subsequently restored and another lockout occurs before Eyeglass inventory has run, the “restore” permissions associated with shares may be the lockout settings from the previous lockout.

Workaround: Permissions should be restored manually by removing the deny permission for the affected user.  Use the Event Action History to determine the affected shares.

—————————————————–

T4081 Time Zone Mismatch between Ransomware Defender Security Guard Job History and Event History dates

The Ransomware Defender Job History “Run Date” is based on the Eyeglass appliance time zone whereas the Event History “Detected” date is translated to the client browser locale.

Workaround: Translate date for 1 of the dates to the time zone of the other date to correlate Security Guard Jobs to events in the Event History.

—————————————————–

T4337 Modifying Ransomware Defender Settings or Running the lock root command removes lock root settings

Lock root settings applied using command

igls admin lockroot --lock_root

.are lost each time a change is made to Ransomware Settings or running the igls admin lockroot command.  If lock root was enabled it becomes disabled.

Workaround: Each time a Ransomware Settings change is made, the lock root setting must be reapplied manually.  Please contact support.superna.net for assistance.

—————————————————–

T4777 Snapshots not created for any Events that are Active when the Snapshot feature is enabled

If there are any Active Events when the Create Snapshot option is enabled, no Snapshots will be created for these already Active Events.

Workaround: Enable the Create Snapshot option when there are no Active Events.  Events raised after the Create Snapshot option was enabled will have associated Snapshots created for affected shares.

—————————————————–

T4819 Empty Event History List

There may be conditions where having other windows open such as the Event Action History may result in the Event History list being displayed with no entries.

Workaround: Close all Ransomware Defender related windows and then re-open the Ransomware Defender -> Event History tab.

—————————————————–

T4950 Alarm text for failed Snapshot delete references Snapshot create

The alarm that is raised when a Snapshot delete fails contains the text “Failed to create snapshots” instead of “Failed to delete snapshots”.

Workaround: Check the Action Log for the event to determine whether a snapshot create or delete has failed.

—————————————————–

T4955 Subsequent Create Snapshot action will delete reference to previously created snapshots if an error occurs during the create

The Create Snapshot action can be executed multiple times for a given event.  If it has been run previously and then run again and the subsequent run has an error on creating any snapshot, the Snapshots list only contains the snapshots from the last run. Previously created snapshots are no longer displayed.

Workaround: Check the Event Action History log for complete list of created snapshots.

—————————————————–

T5024 Major Events may reappear in the Active Events list after being recovered

An event which crosses the Major threshold and is recovered to Historical Events without being locked out (Stop lockout timer) may appear in the Active Events list again immediately after being recovered (Mark as recovered).

Workaround: Stop the lockout timer and Mark the event as recovered again.  This may have to be repeated several times. Locking the affected user out followed by Restore User Access and then archiving the event as recovered may also resolve this issue.

—————————————————–

T5756  Error on restoring permissions does not raise an alarm

If permissions restore action encounters an error there is no associated alarm notification.

Workaround: Review the Action History for the Event to confirm that all restores were successful.

—————————————————–

T5954  Events that are promoted to Major due to multiple event “Upgrade to Major” are locked out immediately

For the case where there are multiple Warning events that cross the “Upgrade to Major” limit, when they are promoted to Major they are locked out right away instead of waiting for the configured Grace Period before locking out.

Workaround: The occurrence of this behaviour can be reduced by setting the “Upgrade to Major” threshold to a high number of users.

—————————————————–

T6728  Extensions with special characters cannot be removed from the ignore list

Extensions have been added to the extension ignore list using the igls rsw allowedfiles add --extensions command cannot be removed from the ignore list using the igls rsw allowedfiles remove --extensions command.

Workaround: Contact Superna Support at support.superna.net to assist with removing these extensions.

—————————————————–

T7062  User may not be locked out in a multi-user security event

It may occur that a user is only partially locked out when a multi-user lockout is occurring due to an error response from the PowerScale cluster during user resolution in Active Directory.  In this case the error is not displayed in the Eyeglass event history.

Workaround: The Event History will contain the shares that were successfully locked out.  Should events continue to be generated against the user for the unlocked share, it may be locked out a a result of subsequent event.  User may also be locked out manually by adding the deny permission manually to share that was not locked out.

—————————————————–

T7190  Active Events may show State of Warning instead of Monitor when Monitor Mode is enabled

Instead of the event state being Monitor in Active Events when Monitor Mode is enabled, the event state may incorrectly display as Warning instead.

Workaround: None Required.  This is a display issue only.  Verify that Monitor Mode is enabled on the Ransomware Defender / Settings tab.

—————————————————–

T7525  Affected Files also shows Active Auditor Affected Files

When viewing the Affected Files for a Ransomware Defender security event, any files associated wtih an Active Auditor event that has occurred at the same time are also displayed.

Workaround: Download the csv file and use the path associated with the Ransomware Defender event from the GUI to filter the results.

—————————————————–

T11586 NFS Lockout Event Information does not include NFS Export path

The Ransomware Defender event GUI for an NFS client displays the NFS Export ID in the Locked ourt shares view in the "Share" column but does not display the corresponding path in the Path column.
Workaround: Verify NFS Export path from PowerScale directly referencing the NFS Export ID from the Locked out shares window.

—————————————————–

T11590 NFS Lockout Event does not generate an PowerScale snapshot

When a Ransomware Security Event is detected for an NFS client, the PowerScale snapshot against related paths is not created.

Workaround: None available. PowerScale scheduled snapshots may be available for recovery.

—————————————————–

T11832 Ransomware Security Event which is promoted from Warning to Major does not respect Major Grace Period

If a Ransomware Security Event is promoted from Warning to Major threshold, the associated user is locked out right away instead of starting Grace Period timer and only locking out if Grace Period has expired and no manual action has been taken.  Note that a Ransomware Defender Security event which is raised at the Major level will respect the configured Grace Period.

Workaround: None available. 

—————————————————–


T15198, T15650 Ransomware Events may have inaccurate Signal Strength or may be reprocessed

Ransomware Event processing may receive duplicate events and as a result may show a higher Signal Strength than is actually the case.  The associated csv will also show duplicate entries for the same file.  Ransomware processing may also intermittently skip a signal and as a result may show lower Signal Strength.

In some cases this may also result in a Ransomware Event being reprocessed at a later time.

Workaround: None required.  The duplicate events result in early detection of Ransomware events. Skipping of signals is intermittent and subsequent signals cross threshold for detection.

—————————————————–

T15639 T18812 Error replicating AD Group or Local User Run as Root SMB permissions affects Lockout and Restore

In some cases an SMB share permission that is configured with an AD groupor Local User that has Run as Root privileges has an error on share updates for Ransomware Defender that blocks Lockout such that it does not take effect or on Restore it does not restore the Run as Root SMB share permission.

Important: If you use run as root on shares you are exposing data to very high security risk since no ockout will be possible. This is because the user SID that is sent when an AD user accesses data with run as root enabled is the root user SID not the actual AD user SID.

We recommend to NOT use run as root on shares for the reason above and it fails all security audits of PowerScale in all industry standards (PCI, HIPPA, FedRAMP, ITSG, etc...). Remove run as root option on all shares.

Please review our documentation for more information: Securing root user on PowerScale.

Workaround: Manually restore or lockout user.

—————————————————–

T16229 GUI incorrectly reports error when manually creating a snapshot

If you use the Action menu to manually create a snapshot, the GUI shows an error but the snapshot is actually created. Automatic snapshot creation as part of active event detection is not affected by this issue.

Workaround: None required as snapshot is created. Verify snapshot creation using Powerscale OneFS interface.

—————————————————–

T16462 NFS lockout may fail

Under some conditions Ransomware Defender successfully detects security event and notifies regarding the event but the associated NFS lockout action fails.

Workaround: Manual steps to block access to the Powerscale cluster are required in this case.

—————————————————–

T18271 Ransomware Event State incorrect shows success when Powerscale is unreachable during restore operation

If a Restore operation is initiated on an Active Event when the Powerscale cluster is unreachable, the restore steps will fail but the state of the Event on the Active Events GUI is ACCESS_RESTORED.


Workaround: None required.  The Event Action History shows that the restore step failed.  Once connectivity to the Powerscale cluster is restored the Restore operation can be retried.


—————————————————–

T18643, T19217 State of Active Event shows WARNING when it should be MONITOR for File Filter in Monitor

When Ransomware Defender is configured for Enforcement Mode and Critical on Mode, an Active Event related to a File Filters extension in Monitor will be displayed in Active Events with State of WARNING instead of MONITOR.

No impact on behaviour, no lockout applied.

Impact to Automatic learning - the File Filter extension is not set to disabled.


Workaround: Review events and put File Filter extension into Disabled as required.

—————————————————–

T18718 igls rsw allowed files remove option not working

The igls rsw allowed files CLI command executes and reports success but does not actually activate the extension or file entered in the command.


Workaround: Use the Eyeglass GUI to enable items from the File Filter list that had been previously disabled.  For more information refer to documentation here.

—————————————————–

T18852 Ransomware Defender does not detect where path has square brackets [ ]

If path or file name on Powerscale cluster includes square Ransomware Defender encounters an error on processing and does not detect the security event.

Workaround: None available. Ransomware manipulation of other path/file continue to be monitored and acted upon.

—————————————————–

T18887 Security Guard in Learned Thresholds prevents Security Guard job from detecting

If the Security Guard user is deleted from the Learned Threshold list it continues to be enforced and Security Guard events are not detected by Ransomware Defender.  This will occur if Security Guard was in the Flag as False Positive list prior to upgrade to 2.5.7.  In 2.5.7 Security Guard user cannot be added to the Learned Threshold list.


Workaround:  Contact support.superna.net for assistance if after upgrade to 2.5.7 the Security Guard user needs to be removed from the Learned Threshold list.

—————————————————–

T18895 Ransomware Learned Threshold list doesn't open first time

Under some conditions where name resolution proceeds slowly and/or Learned Threshold list contains may entries, list will not be displayed before 45s timeout occurs.

Workaround: Selecting the list a second time displays the list.

—————————————————–

T18985  igls rsw restoreaccess cannot restore access for unresolvable user

If the user specified in the igls rsw restoreaccess cannot be resolved by the Access Zone AD provider.  For example, a lockout might occur on shares provisioned with the Everyone permission even when the Access Zone AD provider cannot resolve the AD user.  


Workaround:  The Ransomware Defender GUI can restore access in this case while the event is in the Active Events list.  If the event has already been archived to the Event History contact support.superna.net for assistance.

—————————————————–

T19040 After upgrade to 2.5.7, Ransomware Events in Event History do not display the Signal Strength correctly

Signal strength not displayed correctly for Ransomware Events in the Event History after upgrade to 2.5.7 for events that were added to Event History in previous release.


Workaround: None required.  These events had already been managed and archived on previous release.

—————————————————–

T19106 Acknowledge/Archive options not blocked while lockout in progress

The Acknowledge / Archive options are incorrectly available to be used in the window of time between when the lockout action starts and the active event enters the Locked Out state. Impact: If selected during that window, the event never enters the Locked Out state and even though it is locked out and there for the restore option is not available to restore permissions.

Workaround: The Event Action History correctly documents the shares that were locked out and the account and time of lockout. The account can be restored from the command line following the instructions here for igls rsw restoreaccess command.

—————————————————–

T19198 Multiple concurrent Major Events not upgraded to Critical based on "Upgrade to Critical (events)" setting

The setting to promote Active Events from Major to Critical without having to reach the Critical Threshold, "Upgrade to Critical (events) " is not respected. Events are not promoted until their Signal Strength Threshold crosses the Critical setting.

None Required: Events will be promoted if their Signal Strength Threshold crosses into Critical threshold and Lockout will be applied. For events that remain at Major severity if no manual steps taken, Lockout will be applied once grace period expires.

—————————————————–

T19236 Honeypot file detector incorrectly crosses Major threshold in Monitor Mode

When Ransomware Defender has Monitor Mode active the Honeypot file detector incorrectly promotes a Honeypot event to Major instead of staying in Monitor state. Once promoted to Major the Grace Period timer begins and if no manual steps taken a lockout of the account will occur once the grace period expires.

Workaround: Upon notification of the Major event, manual steps can be taken from the Active Event Action menu to stop the Lockout timer and resolve the event from the GUI if appropriate. If a lockout occurs access can be restored through the GUI from the Active Event Action menu as well if appropriate.

—————————————————–

T19356 Files/Folders with language characters not displayed properly in CSV and email

If the files/folders associated with a detected Ransomware security event contain language specific characters, the path/file names are not displayed correctly in the email sent as well as the CSV.

Workaround: Use the GUI to see the files and folders.

—————————————————–

T19409 Well known extension detection not working under some circumstances

Under some circumstances when there have been no customization to the File Filters for well known extension detection, the well known vector for detection of Ransomware security event is skipped.

This does not affect the user behaviour or honeypot detection vectors.

Workaround: User behaviour and honeypot detection vectors still available for monitoring.

—————————————————–

T20094 CLI command to restore access does not work when user name contains special characters

The igls rsw restoreaccess command does not execute if the user name contains special characters. Impact: No impact on lockout. Impact on ability to restore access.

Workaround: Use the Ransomware Defender Action Event history to identify all shares that were locked out and manually remove the deny permission using Powerscale native tools.
 

Security Guard

T4197 Security Guard Error for Unlicensed Cluster

Security Guard fails when PowerScale Cluster selected to run is not licensed.

Since Ransomware Defender dynamically picks priority PowerScale Clusters to license (refer to Eyeglass Ransomware Defender Admin Guide for details on selection of licensed cluster) for the case where Eyeglass is managing more clusters than there are Ransomware Defender Agent Licenses, one cannot be sure the selected Cluster in Security Guard is actually licensed at the run time.

Workaround: Deploy same number of Ransomware Defender Agent Licenses as the number of PowerScale Clusters being managed by Eyeglass.

—————————————————–


T8889 Cannot enable Security Guard with default schedule for on a newly deployed 2.5.3 ovf 

The drop down list to schedule security has an invalid default.

Workaround: Click the drop down and set a valid schedule.

—————————————————–

T4228  Security Guard Temporary Errors

Security Guard may occasionally error with 0 files written.   

Workaround: This condition typically clears it self on the next Security Guard run. It does not affect workflow for a real security event.

If it does not clear, follow these steps to recover:

  1. Archive as Unresolved

  2. Run Security Guard manually to ensure that it is operational again.

—————————————————–

T4965  Security Guard User Authentication Fails

When provisioning the Security Guard Active Directory User and password, Eyeglass checks that the username name and password entered can be successfully authenticated.  It may occur on initial configuration that you will see the message “user could not be authenticated” even though the username and password are correct.

Workaround: After confirming that the username and password are correct, subsequent provisioning is successful.

—————————————————–

T7574  Flag as False Positive Option should not be available for Security Guard Events

Security Guard provides automated end to end validation of Ransomware detection, lockout and restore and therefore should not be flagged as false positive. The Flag as False positive option is currently available to be selected for Security Guard events and should not be.

Workaround: Manual process required to prevent applying Flag as False positive to Security Guard events.

—————————————————–

T15175 Existing Security Guard Logs lost formatting after upgrade to 2.5.6

Any existing Security Guard logs viewed from the Eyeglass GUI will have lost the formatting.

Workaround: None required. New logs will have correct formatting.

—————————————————–

Manage Services

T4192 Manage Services status not accurate after ECA Node Down

After an ECA node has been powered off / gone down and subsequently powered back on and rejoined to the ECA cluster it continues to display the Inactive state in the Eyeglass Manage Services window even when it is active again and healthy.

Workaround:  Once the node is back up, remove it from the Manage Services window by selecting the X in the node’s row.  Wait 1 to 2 minutes and the service should be rediscovered with the correct state.

—————————————————–




General

T4230 Blank Ransomware Defender Window

After archiving an Event the Ransomware Defender window tabs may appear empty.   

Workaround: Close and reopen the Ransomware Defender window.

—————————————————–

T4183  Refresh does not work for Ransomware Defender multi-page lists

Ransomware Defender window with multiple pages is not updated by Refresh except for the first page.   

Workaround: To update the list go back to the first page of the list.

—————————————————–

T15457 HTML 5 vmware vcenter bug on OVA deployment

 Some versions of vmware vcenter HTML user interface have a known issue with OVA properties being read correctly post power on, leading to first boot issues.


Workaround: use the Flash client as a work around.


—————————————————–


T4336  Eyeglass Restore does not restore Security Guard Job History

Security Guard historical log files are not restored when you restore configuration from backup.   

Workaround: None available.

—————————————————–

T4549  Ransomware Defender Settings Submit button enabled when no changes made

When the Ransomware Defender Settings window is opened the Submit button is enabled even though no changes have been made to any settings. If you navigate to another view and come back to Settings, the Submit button is then correctly disabled until a change is made on the page.  

Workaround: None required.

—————————————————–

T6617  PowerScale Directory Selector does not display hidden directories

Directories that start with a dot (.) are not displayed in the PowerScale Directory Selector.   

Workaround: Use the PowerScale Directory Selector to enter \ifs\ and then enter the remainder of the path manually.

—————————————————–

T8807  Deleting cluster from Eyeglass does not clear associated Ignore List and Wiretap settings

When an PowerScale cluster is deleted from management in Eyeglass, any associated Ransomware Defender Ignore List or Wiretap settings are not cleared.  

Workaround: Manually delete Ignore List and Wiretap settings for deleted clusters.

—————————————————–

T18810 GUI not updated after canceling an operation to switch modes

In the Ransomware Defender Thresholds window if you are switching between Advanced and Monitor or Advanced and Enforcement mode and upon being prompted you select No to cancel the operation, the GUI does not refresh and return to the original Advanced mode. Impact: Display issue only, the mode change is cancelled.

Workaround: Switch between tabs in the Ransomware Defender window or use the Eyeglass desktop Refresh Now button.

—————————————————

T21207 Custom Snapshot Expiry not preserved after modifying Settings on Threshold menu

A custom snapshot expiry set using the igls rsw generalsettings set --snapshot_expiry_hours command is reverted to the default value of 48 hours if there are any changes made and saved in the Ransomware Defender Threshold menu. No impact to snapshot creation, only the schedule is reverted to default.

Workaround: After making a change in the Threshold window, re-run the igls command to set the custom snapshot expiry.


Known Limitations

Threat Detection

T6914  Some extensions still result in lockout when added to the ignore list

For the following well-known extensions, a lockout will still occur even if these extensions have been added to the extension ignore list using the igls rsw allowedfiles add --extensions command:

*.[teroda@bigmir.net].masterteroda@bigmir.net

*.[mich78@usa.com]

*.symbiom_ransomware_locked

*.[resque@plague.desi].scarab

Workaround: Alternate Ignore capabilities for User, Path or IP address documented here may be used to workaround this issue.

—————————————————–

T7191 SMB service not enabled when access restored when lockroot is true

If you have Ransomware Defender configured to disable SMB service is a root user event is detected (see Ransomware Admin guide here, section Securing Root User on PowerScale ), when you restore user access the SMB service is not automatically enabled.

Workaround: Manually enable SMB service on PowerScale once access is restored and you are ready to resume file access for SMB users.

—————————————————–

T7670 Restoring user access via CLI does not update status of Security Event in the GUI

If you have restored user access after a lockout using the CLI command "igls rsw restoreaccess set --user=DOMAIN\\user ", the associated Security Event in the GUI will not be updated and remain in active state.

Workaround: Open the Actions window for the active event, enter a comment that access has been manually restored and then archive the event.

—————————————————–

T8744 No event processing once Signal Strength passes 2 times Critical Threshold

Once a Security Event or Active Audit event has passed 2 times the Critical threshold configured in Ransomware Defender Settings, there is no further processing of Signals for the associated user. In all cases actions based on Critical threshold settings would have been already taken prior to reaching the 2x level.

For the case where both Ransomware Defender and Easy Auditor are licensed, reaching Signals processed count of 2 times Ransomware Critical threshold for a particular user limit is applied independently for Ransomware Defender and Easy Auditor. 

Workaround: None Available.

—————————————————–

T8986 NFS export lockout cannot be restored

An NFS export that has been locked out due to Ransomware Defender detecting a security event cannot be restored using Superna Eyeglass. You are able to select the Restore option and the Event History indicates that the permissions are restored but in fact the NFS export will still be in read-only state.

Workaround: On lockout NFS clients are moved to "Always Read-Only Clients". They will need to be manually moved to the correct access type using Isilion GUI or CLI to modify the export.

—————————————————–

T15705 After upgrade to 2.5.6 cannot download CSV for Ransomware Event Files from events detected in prior releases

After upgrading to Release 2.5.6, csv download of files related to Ransomware events generated on previous release is not available.

Workaound: GUI can still be used to view the files or files may be found on the Eyeglass appliance in the /srv/www/htdocs/rsw_event_all_files directory.

—————————————————–

T16723 Error on Lockout of Shares on DR cluster

Under some conditions where a Ransomware Defender Lockout job overlaps with a Configuration Replication job you may see an error locking out some shares on DR cluster with error message code 409 AEC_CONFLICT. No impact to protection from Ransomware as the shares on the DR cluster are providing access to read-only data.

Workaround: You can re-attempt the Lockout from the Ransomware Defender window Action menu for the Active Event. Deny permission can also manually from Powerscale interface as required.

—————————————————–

T17287 Many Access Zones slows down creation of snapshots and lockout

In the case where there are many Access Zones configured, analysis of user accessible shares must be done for all Access Zones before snapshot processing or lockout is started.

Workaround: None available

—————————————————–

T7574  Option to set learned threshold for Security Guard in RESTORED_USER_ACCESS state

Menu to add Security Guard to the Learned Threshold is incorrectly provided when the event is in the RESTORED_USER_ACCESS state.  The option can be selected and indicates that the flag as false positive was applied but it is not actually applied and it does not appear in the Learned Threshold list.


Workaround: None required

—————————————————–

T18733 Ransomware Defender Affected Files Download Menu Naming 

The Ransomware Defender Affected Files Download Menu is incorrectly named Affected Files - All.  As described in the Ransomware Defender documentation here it is possible to have more files associated with the event than displayed in the file.

—————————————————–


General

T16137 Anyrelease restore does not restore all Ransomware Defender and Easy Auditor settings

There is no restore of settings from release 2.5.4 and earlier. For release 2.5.4 and earlier continue to capture all Ransomware settings (False Positive, Ignore List, Allowed Extensions, Security Guard) and Easy Auditor settings (Active Auditor Trigger settings, RoboAudit). Post restore verify settings and update where required before cluster up on ECA.

In all cases, restoring an Eyeglass backup using the --anyrelease option will not restore following Ransomware Defender and Easy Auditor settings:

Ransomware Defender: Event History, Threats Detected

Easy Auditor: Finished Reports, Scheduled Reports, Saved Queries

—————————————————–

T16821 anyrelease restore restrictions for restore to 2.5.7

Ransomware Defender, Easy Auditor and Performance Auditor deployments cannot use the anyrelease restore option to upgrade to a new appliance running 2.5.7.  For case where a backup & restore is required due to 42.3 OS on original deployment, a backup & restore to 2.5.6 will have to be done first followed by an upgrade to 2.5.7 or inplace OS upgrade prior to 2.5.7 upgrade.

—————————————————–

T20370 Monitor Only Settings Client IP applies to all PowerScale clusters

If multiple Powerscale clusters are licensed for Ransomware Defender a setting in the Client IP list for Monitor Only Settings is applied to all clusters. There is no option to associate the setting to a specific cluster. Also if you convert Ignore List to Monitor list any Client IP setting from Ignore list will also be applied to all cluster.



© Superna LLC