Release 2.5.6 - Release Notes Ransomware Defender
- What’s New in Superna Eyeglass Ransomware Defender Edition Release 2.5.6
- Supported OneFS releases
- Supported Eyeglass releases
- Active Directory Compatiblity
- Inter Release Functional Compatibility
- End of Life Notifications
- Support Removed in Eyeglass Release 2.5.6
- Enhancements / Fixes in 2.5.6-20258
- New: T16769 New behaviour detections enabled by default
- T16510 Flag as False Positive settings may not take effect
- T15926 Invalid user format in ignore list stops threat detection analysis
- T16148 Paths or Files that contain the string **analytics** are ignored for user behaviour Ransomware detection algorithms
- T16149 New behaviour detections enabled by default
- T15359 Backup & Restore does not restore Ransomware Defender or Easy Auditor settings
- T15230 Configuration of Ransomware Defender Thresholds requires temporary exit from Monitor Mode
- T15040 New Behaviour detections available
- T15427 Security Guard Restore Access updates GUI for other Active Events as restored
- Technical Advisories
- T4151 Action Window Event Action History does not show Unreachable Cluster
- T3732 Restored permission may be incorrect for consecutive lockouts
- T4081 Time Zone Mismatch between Ransomware Defender Security Guard Job History and Event History dates
- T4337 Modifying Ransomware Defender Settings or Running the lock root command removes lock root settings
- T4777 Snapshots not created for any Events that are Active when the Snapshot feature is enabled
- T4819 Empty Event History List
- T4950 Alarm text for failed Snapshot delete references Snapshot create
- T4955 Subsequent Create Snapshot action will delete reference to previously created snapshots if an error occurs during the create
- T5024 Major Events may reappear in the Active Events list after being recovered
- T5756 Error on restoring permissions does not raise an alarm
- T5954 Events that are promoted to Major due to multiple event “Upgrade to Major” are locked out immediately
- T6728 Extensions with special characters cannot be removed from the ignore list
- T7062 User may not be locked out in a multi-user security event
- T7190 Active Events may show State of Warning instead of Monitor when Monitor Mode is enabled
- T11586 NFS Lockout Event Information does not include NFS Export path
- T11590 NFS Lockout Event does not generate an PowerScale snapshot
- T11832 Ransomware Security Event which is promoted from Warning to Major does not respect Major Grace Period
- T14798 Well Known user Authenticated Users not handled
- T15198, T15650 Ransomware Events may have inaccurate Signal Strength
- T15234 igls rsw restore leaves share without permission where user permission configured
- T15639 T18812 Error replicating AD Group or Local User Run as Root SMB permissions affects Lockout and Restore
- T16229 GUI incorrectly reports error when manually creating a snapshot
- T16462 NFS lockout may fail
- T16830 TD 7 Extension flag as false positive will add to the UI but will not take affect
- T17900 Clients column for Ransomware events may not display all IP addresses
- T18985 igls rsw restoreaccess cannot restore access for unresolvable user
- Security Guard
- T4197 Security Guard Error for Unlicensed Cluster
- T4228 Security Guard Temporary Errors
- T4965 Security Guard User Authentication Fails
- T15175 Existing Security Guard Logs lost formatting after upgrade to 2.5.6
- Manage Services
- T4192 Manage Services status not accurate after ECA Node Down
- General
- T4230 Blank Ransomware Defender Window
- T4183 Refresh does not work for Ransomware Defender multi-page lists
- T15457 HTML 5 vmware vcenter bug on OVA deployment
- T4336 Eyeglass Restore does not restore Security Guard Job History
- T4549 Ransomware Defender Settings Submit button enabled when no changes made
- T6617 PowerScale Directory Selector does not display hidden directories
- Known Limitations
- T6914 Some extensions still result in lockout when added to the ignore list
- T15705 After upgrade to 2.5.6 cannot download CSV for Ransomware Event Files from events detected in prior releases
- T16723 Error on Lockout of Shares on DR cluster
- T17287 Many Access Zones slows down creation of snapshots and lockout
- General
- T16137 Anyrelease restore does not restore all Ransomware Defender and Easy Auditor settings
What’s New in Superna Eyeglass Ransomware Defender Edition Release 2.5.6
What’s New! In Superna Eyeglass Ransomware Defender Edition Release 2.5.6 can be found here.
Supported OneFS releases
8.0.0.x
8.0.1.x
8.1.x.x
8.1.2.x
8.1.3.x
8.2.0.x
8.2.1.x
8.2.2.x
9.0
9.1
Supported Eyeglass releases
Superna Eyeglass Ransomware Defender Version | Superna Eyeglass Version |
2.5.6-20263 | 2.5.6-20263 |
2.5.6-20258 | 2.5.6-20258 |
2.5.6-20158 | 2.5.6-20158 |
2.5.6-20084 | 2.5.6-20084 |
2.5.6-20069 | 2.5.6-20069 |
2.5.6-20063 | 2.5.6-20063 |
2.5.6-20056 | 2.5.6-20056 |
2.5.5-20019 | 2.5.5-20019 |
2.5.5-19234 | 2.5.5-19234 |
2.5.5-19226 | 2.5.5-19226 |
2.5.5-19219 | 2.5.5-19219 |
2.5.5-19188 | 2.5.5-19188 |
2.5.5-19184 | 2.5.5-19184 |
2.5.4-19106 | 2.5.4-19106 |
2.5.4-18266 | 2.5.4-19106 2.5.4-18275 2.5.4-18266 |
2.5.3-18257 | 2.5.4-18275 2.5.4-18266 2.5.3-18251 |
2.5.2-18080 | 2.5.2-18080 |
2.5.1-18013 | 2.5.1-18012 |
Active Directory Compatiblity
Ransomware Defender Versions | Supported Active Directory Versions |
2.5.6 and 2.5.5 all versions | Microsoft Active Directory 2008, 2012, 2016 |
Inter Release Functional Compatibility
OneFS 8.0 | OneFS 8.1 | OneFS 8.2 | OneFS 8.0 - OneFS 8.1 | OneFS 8.0 or 8.1 - OneFS 8.2 | |
Threat Detection | Yes | Yes | Yes | Untested | Untested |
Security Guard | Yes | Yes | Yes | Untested | Untested |
End of Life Notifications
End of Life Notifications for all products are available here.Support Removed in Eyeglass Release 2.5.6
7.1.1.x
7.2.x.x
7.2.1.x
2. The Internet version of the well known ransomware extension list is deprecated and a cached version built into the code is used. In next release 2.5.7, the file will be managed from Eyeglass and will have access to versioned files reachable via same URL required for Phone Home for simplicity. More details on the 2.5.7 release can be found here and on the new management of the extension list from the Eyeglass Ransomware Defender window here .
Enhancements / Fixes in 2.5.6-20258
Refer to Enhancements/Fixes in previous 2.5.6 versions.
Enhancements in 2.5.6-20258
Threat Detection
New: T16769 New behaviour detections enabled by default
Ransomware new behaviour detections available in 2.5.6-20158 now enabled by default.
Fixed in 2.5.6-20158
Threat Detection
T16510 Flag as False Positive settings may not take effect
Under some conditions initiating Archive as False Positive from the Ransomware Defender Active Events GUI does not take effect. There is no visible error related to this issue.
Resolution: Issue was related to one threat detection area and has been resolved. Archive as False Positive from the Ransomware Defender Active Events GUI now takes effect.
—————————————————–
Enhancements/Fixed in 2.5.6-20084
Threat Detection
T15926 Invalid user format in ignore list stops threat detection analysis
Adding a user to the ignore list (local or AD) where user entry has invalid format blocks threat detection analysis.
Resolution: Entry of user to ignore list with invalid format is now blocked.
—————————————————–
T16148 Paths or Files that contain the string **analytics** are ignored for user behaviour Ransomware detection algorithms
The user behaviour Ransomware detection algorithms skip any folders or files that contain the string **analytics**. Honeypot share and well known extension matching is not affected by this issue.
Resolution: Paths and filenames containing the string "analytics" are now included in user behaviour Threat Detection analysis.
—————————————————–
T16149 New behaviour detections enabled by default
Ransomware new behaviour detections introduced in 2.5.6-20069 now enabled by default. NOTE:TD 12 is not active in the flag as false positive action menu and will be added in a future release.
NOTE: This may introduce new detections that will need to be evaluated to determine whether additional tuning of Ransomware Defender settings is required.
—————————————————–
General
T15359 Backup & Restore does not restore Ransomware Defender or Easy Auditor settings
A Backup & Restore does not restore the Ransomware Defender or Easy Auditor settings.
Resolution: Ransomware Defender settings now restored on restore from release 2.5.5 to 2.5.6 There is no restore of settings from release 2.5.4 and earlier. For release 2.5.4 and earlier continue to capture all Ransomware settings (False Positive, Ignore List, Allowed Extensions, Security Guard) and Easy Auditor settings (Active Auditor Trigger settings, RoboAudit). Post restore verify settings and update where required before cluster up on ECA. Following Expected to not be restored on an AnyRelease restore: Ransomware Defender Event History, Threats Detected, Easy Auditor: Finished Reports, Scheduled Reports, Saved Queries
—————————————————–
Enhancements/Fixed in 2.5.6-20069
Threat Detection
T15230 Configuration of Ransomware Defender Thresholds requires temporary exit from Monitor Mode
If you have Monitor Mode active, it is necessary to exit from Monitor Mode temporarily while making changes to Ransomware Defender Threshold settings. While temporarily exited from Monitor Mode, lockouts can occur based on existing settings. You should enter Monitor Mode again immediately after making the change.
Resolution: All threshold levels can now be modified without exiting Monitor mode. With Monitor Mode enabled, additional description "Not Applied (Monitor Mode)" to clarify that values updated are not active while in Monitor Mode.
—————————————————–
T15040 New Behaviour detections available
Contact support.superna.net to upgrade.
—————————————————–
Security Guard
T15427 Security Guard Restore Access updates GUI for other Active Events as restored
When the Security Guard resore access step is executed, if there are other active events in the Ransomware Defender / Active Events list in he LOCKED_OUT "State" those other active events "State" will also be updated to "ACCESS_RESTORED" in the GUI but no actual restore step is done - the other user accounts still have the deny permission applied on their PowerScale shares.
Resolution: Access is restored now only for the Security Guard user. Other Active Events are not updated as part of the Security Guard job.
—————————————————–
Technical Advisories
Technical Advisories for all products are available here.
Known Issues
Threat Detection
T4151 Action Window Event Action History does not show Unreachable Cluster
In the event that a Cluster is unreachable during a Lockout operation, the Active Event state will correctly show ERROR and the Event Action History will show “Partially Locked out” but does not display the cluster that was unreachable or the shares that could not be locked out.
Workaround: Manually inspect the clusters that were locked out. Any missing cluster under management need to review the shares and determine which the affected user has access to and then manually block access.
—————————————————–
T3732 Restored permission may be incorrect for consecutive lockouts
In the event that user share access has been locked and subsequently restored and another lockout occurs before Eyeglass inventory has run, the “restore” permissions associated with shares may be the lockout settings from the previous lockout.
Workaround: Permissions should be restored manually by removing the deny permission for the affected user. Use the Event Action History to determine the affected shares.
—————————————————–
T4081 Time Zone Mismatch between Ransomware Defender Security Guard Job History and Event History dates
The Ransomware Defender Job History “Run Date” is based on the Eyeglass appliance time zone whereas the Event History “Detected” date is translated to the client browser locale.
Workaround: Translate date for 1 of the dates to the time zone of the other date to correlate Security Guard Jobs to events in the Event History.
—————————————————–
T4337 Modifying Ransomware Defender Settings or Running the lock root command removes lock root settings
Lock root settings applied using command
igls admin lockroot --lock_root
.are lost each time a change is made to Ransomware Settings or running the igls admin lockroot command. If lock root was enabled it becomes disabled.
Workaround: Each time a Ransomware Settings change is made, the lock root setting must be reapplied manually. Please contact support.superna.net for assistance.
—————————————————–
T4777 Snapshots not created for any Events that are Active when the Snapshot feature is enabled
If there are any Active Events when the Create Snapshot option is enabled, no Snapshots will be created for these already Active Events.
Workaround: Enable the Create Snapshot option when there are no Active Events. Events raised after the Create Snapshot option was enabled will have associated Snapshots created for affected shares.
—————————————————–
T4819 Empty Event History List
There may be conditions where having other windows open such as the Event Action History may result in the Event History list being displayed with no entries.
Workaround: Close all Ransomware Defender related windows and then re-open the Ransomware Defender -> Event History tab.
—————————————————–
T4950 Alarm text for failed Snapshot delete references Snapshot create
The alarm that is raised when a Snapshot delete fails contains the text “Failed to create snapshots” instead of “Failed to delete snapshots”.
Workaround: Check the Action Log for the event to determine whether a snapshot create or delete has failed.
—————————————————–
T4955 Subsequent Create Snapshot action will delete reference to previously created snapshots if an error occurs during the create
The Create Snapshot action can be executed multiple times for a given event. If it has been run previously and then run again and the subsequent run has an error on creating any snapshot, the Snapshots list only contains the snapshots from the last run. Previously created snapshots are no longer displayed.
Workaround: Check the Event Action History log for complete list of created snapshots.
—————————————————–
T5024 Major Events may reappear in the Active Events list after being recovered
An event which crosses the Major threshold and is recovered to Historical Events without being locked out (Stop lockout timer) may appear in the Active Events list again immediately after being recovered (Mark as recovered).
Workaround: Stop the lockout timer and Mark the event as recovered again. This may have to be repeated several times. Locking the affected user out followed by Restore User Access and then archiving the event as recovered may also resolve this issue.
—————————————————–
T5756 Error on restoring permissions does not raise an alarm
If permissions restore action encounters an error there is no associated alarm notification.
Workaround: Review the Action History for the Event to confirm that all restores were successful.
—————————————————–
T5954 Events that are promoted to Major due to multiple event “Upgrade to Major” are locked out immediately
For the case where there are multiple Warning events that cross the “Upgrade to Major” limit, when they are promoted to Major they are locked out right away instead of waiting for the configured Grace Period before locking out.
Workaround: The occurrence of this behaviour can be reduced by setting the “Upgrade to Major” threshold to a high number of users.
—————————————————–
T6728 Extensions with special characters cannot be removed from the ignore list
Extensions have been added to the extension ignore list using the igls rsw allowedfiles add --extensions command cannot be removed from the ignore list using the igls rsw allowedfiles remove --extensions command.
Workaround: Contact Superna Support at support.superna.net to assist with removing these extensions.
—————————————————–
T7062 User may not be locked out in a multi-user security event
It may occur that a user is only partially locked out when a multi-user lockout is occurring due to an error response from the PowerScale cluster during user resolution in Active Directory. In this case the error is not displayed in the Eyeglass event history.
Workaround: The Event History will contain the shares that were successfully locked out. Should events continue to be generated against the user for the unlocked share, it may be locked out a a result of subsequent event. User may also be locked out manually by adding the deny permission manually to share that was not locked out.
—————————————————–
T7190 Active Events may show State of Warning instead of Monitor when Monitor Mode is enabled
Instead of the event state being Monitor in Active Events when Monitor Mode is enabled, the event state may incorrectly display as Warning instead.
Workaround: None Required. This is a display issue only. Verify that Monitor Mode is enabled on the Ransomware Defender / Settings tab.
—————————————————–
T7525 Affected Files also shows Active Auditor Affected Files
When viewing the Affected Files for a Ransomware Defender security event, any files associated wtih an Active Auditor event that has occurred at the same time are also displayed.
Workaround: Download the csv file and use the path associated with the Ransomware Defender event from the GUI to filter the results.
—————————————————–
T11586 NFS Lockout Event Information does not include NFS Export path
—————————————————–
T11590 NFS Lockout Event does not generate an PowerScale snapshot
When a Ransomware Security Event is detected for an NFS client, the PowerScale snapshot against related paths is not created.
Workaround: None available. PowerScale scheduled snapshots may be available for recovery.
—————————————————–
T11832 Ransomware Security Event which is promoted from Warning to Major does not respect Major Grace Period
If a Ransomware Security Event is promoted from Warning to Major threshold, the associated user is locked out right away instead of starting Grace Period timer and only locking out if Grace Period has expired and no manual action has been taken. Note that a Ransomware Defender Security event which is raised at the Major level will respect the configured Grace Period.
Workaround: None available.
—————————————————–
T14798 Well Known user Authenticated Users not handled
When well known user "Authenticated User" is used for share permissions Ransomware Defender does not translate this permission into users and therefore does not affect a deny for any users against that share.
Workaround: Use Everyone permission and leave the Guest account disabled as the Guest account is insecure and should never be enabled because this exposes data to Ransomware.
—————————————————–
T15198, T15650 Ransomware Events may have inaccurate Signal Strength
Ransomware Event processing may receive duplicate events and as a result may show a higher Signal Strength than is actually the case. The associated csv will also show duplicate entries for the same file. Ransomware processing may also intermittently skip a signal and as a result may show lower Signal Strength.
Workaround: None required. The duplicate events result in early detection of Ransomware events. Skipping of signals is intermittent and subsequent signals cross threshold for detection.
T15234 igls rsw restore leaves share without permission where user permission configured
If you have assigned share permission using AD user permission directly (no AD group permission). if that user is locked out and you are unable to restore access from the GUI the igls rws restoreaccess command that would usually be used to restore access will remove the deny permission but will not put back the original user permission.
Workaround: Restore user access for this case by directly editing the share on PowerScale to remove the deny and add user with correct level of access. The shares that are affected are displayed in the Ransomware Defender Active Events or Event History tabs in the Shares column.
T15639 T18812 Error replicating AD Group or Local User Run as Root SMB permissions affects Lockout and Restore
In some cases an SMB share permission that is configured with an AD groupor Local User that has Run as Root privileges has an error on share updates for Ransomware Defender that blocks Lockout such that it does not take effect or on Restore it does not restore the Run as Root SMB share permission.
Important: If you use run as root on shares you are exposing data to very high security risk since no ockout will be possible. This is because the user SID that is sent when an AD user accesses data with run as root enabled is the root user SID not the actual AD user SID.
We recommend to NOT use run as root on shares for the reason above and it fails all security audits of PowerScale in all industry standards (PCI, HIPPA, FedRAMP, ITSG, etc...). Remove run as root option on all shares.
Please review our documentation for more information: Securing root user on PowerScale.
Workaround: Manually restore or lockout user.
—————————————————–
T16229 GUI incorrectly reports error when manually creating a snapshot
If you use the Action menu to manually create a snapshot, the GUI shows an error but the snapshot is actually created. Automatic snapshot creation as part of active event detection is not affected by this issue.
Workaround: None required as snapshot is created. Verify snapshot creation using Powerscale OneFS interface.
—————————————————–
T16462 NFS lockout may fail
Under some conditions Ransomware Defender successfully detects security event and notifies regarding the event but the associated NFS lockout action fails.
Workaround: Manual steps to block access to the Powerscale cluster are required in this case.
—————————————————–
T16830 TD 7 Extension flag as false positive will add to the UI but will not take affect
Flagging TD 7 detection as false postive will add to the UI but will not take effect. This is not a user behavior detection and requires a CLI command to whitelist the extension. This is by design and a future release will block this in the GUI and will allow adding to the extension whitelist automatically from the GUI. In the current release the CLI is required to add an extension to the whitelist.
Resolution: Use the CLI guide to add a whitelist for the extension. See guide here. Future release to remove flag as false postive for TD 7 detections.
__________________________
T17900 Clients column for Ransomware events may not display all IP addresses
For a security event where there are signals for the same User (account) from different IP addresses, the Clients column may not list all IP addresses.
Workaround: If you also have Superna Eyeglass Easy Auditor an audit report for the User associated with the event may contain file activity which shows additional IP addresses.
__________________________
T18985 igls rsw restoreaccess cannot restore access for unresolvable user
If the user specified in the igls rsw restoreaccess cannot be resolved by the Access Zone AD provider. For example, a lockout might occur on shares provisioned with the Everyone permission even when the Access Zone AD provider cannot resolve the AD user.
Workaround: The Ransomware Defender GUI can restore access in this case while the event is in the Active Events list. If the event has already been archived to the Event History contact support.superna.net for assistance.
Security Guard
T4197 Security Guard Error for Unlicensed Cluster
Security Guard fails when PowerScale Cluster selected to run is not licensed.
Since Ransomware Defender dynamically picks priority PowerScale Clusters to license (refer to Eyeglass Ransomware Defender Admin Guide for details on selection of licensed cluster) for the case where Eyeglass is managing more clusters than there are Ransomware Defender Agent Licenses, one cannot be sure the selected Cluster in Security Guard is actually licensed at the run time.
Workaround: Deploy same number of Ransomware Defender Agent Licenses as the number of PowerScale Clusters being managed by Eyeglass.
—————————————————–
T8889 Cannot enable Security Guard with default schedule for on a newly deployed 2.5.3 ovf
The drop down list to schedule security has an invalid default.
Workaround: Click the drop down and set a valid schedule.
—————————————————–
T4228 Security Guard Temporary Errors
Security Guard may occasionally error with 0 files written.
Workaround: This condition typically clears it self on the next Security Guard run. It does not affect workflow for a real security event.
If it does not clear, follow these steps to recover:
Archive as Unresolved
Run Security Guard manually to ensure that it is operational again.
—————————————————–
T4965 Security Guard User Authentication Fails
When provisioning the Security Guard Active Directory User and password, Eyeglass checks that the username name and password entered can be successfully authenticated. It may occur on initial configuration that you will see the message “user could not be authenticated” even though the username and password are correct.
Workaround: After confirming that the username and password are correct, subsequent provisioning is successful.
—————————————————–
T7574 Flag as False Positive Option should not be available for Security Guard Events
Security Guard provides automated end to end validation of Ransomware detection, lockout and restore and therefore should not be flagged as false positive. The Flag as False positive option is currently available to be selected for Security Guard events and should not be.
Workaround: Manual process required to prevent applying Flag as False positive to Security Guard events.
—————————————————–
T15175 Existing Security Guard Logs lost formatting after upgrade to 2.5.6
Any existing Security Guard logs viewed from the Eyeglass GUI will have lost the formatting.
Workaround: None required. New logs will have correct formatting.
—————————————————–
Manage Services
T4192 Manage Services status not accurate after ECA Node Down
After an ECA node has been powered off / gone down and subsequently powered back on and rejoined to the ECA cluster it continues to display the Inactive state in the Eyeglass Manage Services window even when it is active again and healthy.
Workaround: Once the node is back up, remove it from the Manage Services window by selecting the X in the node’s row. Wait 1 to 2 minutes and the service should be rediscovered with the correct state.
—————————————————–
General
T4230 Blank Ransomware Defender Window
After archiving an Event the Ransomware Defender window tabs may appear empty.
Workaround: Close and reopen the Ransomware Defender window.
—————————————————–
T4183 Refresh does not work for Ransomware Defender multi-page lists
Ransomware Defender window with multiple pages is not updated by Refresh except for the first page.
Workaround: To update the list go back to the first page of the list.
—————————————————–
T15457 HTML 5 vmware vcenter bug on OVA deployment
Some versions of vmware vcenter HTML user interface have a known issue with OVA properties being read correctly post power on, leading to first boot issues.
Workaround: use the Flash client as a work around.
—————————————————–
T4336 Eyeglass Restore does not restore Security Guard Job History
Security Guard historical log files are not restored when you restore configuration from backup.
Workaround: None available.
—————————————————–
T4549 Ransomware Defender Settings Submit button enabled when no changes made
When the Ransomware Defender Settings window is opened the Submit button is enabled even though no changes have been made to any settings. If you navigate to another view and come back to Settings, the Submit button is then correctly disabled until a change is made on the page.
Workaround: None required.
—————————————————–
T6617 PowerScale Directory Selector does not display hidden directories
Directories that start with a dot (.) are not displayed in the PowerScale Directory Selector.
Workaround: Use the PowerScale Directory Selector to enter \ifs\ and then enter the remainder of the path manually.
—————————————————–
T8807 Deleting cluster from Eyeglass does not clear associated Ignore List and Wiretap settings
When an PowerScale cluster is deleted from management in Eyeglass, any associated Ransomware Defender Ignore List or Wiretap settings are not cleared.
Workaround: Manually delete Ignore List and Wiretap settings for deleted clusters.
—————————————————–
Known Limitations
Threat Detection
T6914 Some extensions still result in lockout when added to the ignore list
For the following well-known extensions, a lockout will still occur even if these extensions have been added to the extension ignore list using the igls rsw allowedfiles add --extensions command:
*.[teroda@bigmir.net].masterteroda@bigmir.net
*.[mich78@usa.com]
*.symbiom_ransomware_locked
*.[resque@plague.desi].scarab
Workaround: Alternate Ignore capabilities for User, Path or IP address documented here may be used to workaround this issue.
—————————————————–
T7191 SMB service not enabled when access restored when lockroot is true
If you have Ransomware Defender configured to disable SMB service is a root user event is detected (see Ransomware Admin guide here, section Securing Root User on PowerScale ), when you restore user access the SMB service is not automatically enabled.
Workaround: Manually enable SMB service on PowerScale once access is restored and you are ready to resume file access for SMB users.
—————————————————–
T7670 Restoring user access via CLI does not update status of Security Event in the GUI
If you have restored user access after a lockout using the CLI command "igls rsw restoreaccess set --user=DOMAIN\\user ", the associated Security Event in the GUI will not be updated and remain in active state.
Workaround: Open the Actions window for the active event, enter a comment that access has been manually restored and then archive the event.
—————————————————–
T8744 No event processing once Signal Strength passes 2 times Critical Threshold
For the case where both Ransomware Defender and Easy Auditor are licensed, reaching Signals processed count of 2 times Ransomware Critical threshold for a particular user limit is applied independently for Ransomware Defender and Easy Auditor.
Workaround: None Available.
—————————————————–
T8986 NFS export lockout cannot be restored
Workaround: On lockout NFS clients are moved to "Always Read-Only Clients". They will need to be manually moved to the correct access type using Isilion GUI or CLI to modify the export.
—————————————————–
T15705 After upgrade to 2.5.6 cannot download CSV for Ransomware Event Files from events detected in prior releases
After upgrading to Release 2.5.6, csv download of files related to Ransomware events generated on previous release is not available.
Workaound: GUI can still be used to view the files or files may be found on the Eyeglass appliance in the /srv/www/htdocs/rsw_event_all_files directory.
—————————————————–
T16723 Error on Lockout of Shares on DR cluster
Under some conditions where a Ransomware Defender Lockout job overlaps with a Configuration Replication job you may see an error locking out some shares on DR cluster with error message code 409 AEC_CONFLICT. No impact to protection from Ransomware as the shares on the DR cluster are providing access to read-only data.
Workaround: You can re-attempt the Lockout from the Ransomware Defender window Action menu for the Active Event. Deny permission can also manually from Powerscale interface as required.
—————————————————–
T17287 Many Access Zones slows down creation of snapshots and lockout
In the case where there are many Access Zones configured, analysis of user accessible shares must be done for all Access Zones before snapshot processing or lockout is started.
Workaround: None available
General
T16137 Anyrelease restore does not restore all Ransomware Defender and Easy Auditor settings
There is no restore of settings from release 2.5.4 and earlier. For release 2.5.4 and earlier continue to capture all Ransomware settings (False Positive, Ignore List, Allowed Extensions, Security Guard) and Easy Auditor settings (Active Auditor Trigger settings, RoboAudit). Post restore verify settings and update where required before cluster up on ECA.
In all cases, restoring an Eyeglass backup using the --anyrelease option will not restore following Ransomware Defender and Easy Auditor settings:
Ransomware Defender: Event History, Threats Detected
Easy Auditor: Finished Reports, Scheduled Reports, Saved Queries