Enabling Ransomware Prevention

Scenarios

Ransomware prevention can detect and defend against known and unknown ransomware in real time. You are advised to enable it for every server.

If the agent version of a server is not one of the preceding versions, or ransomware prevention has been disabled, you can perform the operations in this section to enable it.

If you find suspicious files on a server after enabling ransomware prevention, submit a service ticket to contact technical support and check whether the files are the honeypots deployed by HSS. Honeypot files are used to detect ransomware attacks. They do not affect your services, do not contain any malicious content, and cannot be manually deleted.

Step 1: Creating a Protection Policy

Before enabling ransomware prevention, create a ransomware protection policy and configure honeypot protection directories, protected file types, and protection actions.

1. Log in to the management console.
2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
3. Choose Server Protection > Ransomware Prevention.
4. (Optional) If you have enabled the enterprise project function, select an enterprise project from the Enterprise Project drop-down list in the upper part of the page to view its data.
5. Click the Policies tab and click Add Policy.
6. Configure policy parameters. For more information, see Table 1.
   Figure 1 Protection policy parameters
   

   Table 1 Protection policy parameters

   Parameter	Description	Example Value
   OS	Server OS.	Linux
   Policy	Policy name.	Anti_Ransomware
   Action	How an event is handled. Report alarm and isolate Report alarm	Report alarm and isolate
   Dynamic Honeypot Protection	After honeypot protection is enabled, the system deploys honeypot files in protected directories and other random locations (unless otherwise specified by users). The honeypot files deployed in random locations are automatically deleted every 12 hours and then randomly deployed again. A honeypot file occupies a few server resources. Therefore, configure the directories that you do not want to deploy the honeypot file in the excluded directories. This parameter is mandatory only for Linux servers.	Enabled
   Honeypot File Directories	Directory that needs to be protected by static honeypot (excluding subdirectories). You are advised to configure important service directories or data directories. Separate multiple directories with semicolons (;). You can configure up to 20 directories. This parameter is mandatory for Linux servers and optional for Windows servers.	Linux: /root;/home;/opt;/var;/etc Windows: C:\software
   Excluded Directory (Optional)	Directory that does not need to be protected by honeypot files. Separate multiple directories with semicolons (;). You can configure up to 20 excluded directories.	Linux: /bin;/boot;/lib;/lib32;/lib64;/lost+found;/proc;/run;/sbin;/selinux;/srv;/sys;/usr/bin;/usr/local/bin;/usr/local/sbin;/usr/sbin;/var/lib/container;/var/lib/kubelet;/var/lib/ntp/proc Windows: C:\software\test
   Protected File Type	Types of files to be protected. More than 70 file formats can be protected, including databases, containers, code, certificate keys, and backups. This parameter is mandatory only for Linux servers.	Select all
   (Optional) Process Whitelist	Paths of the process files that can be automatically ignored during the detection, which can be obtained from alarms. This parameter is mandatory only for Windows servers.	-
   AI Ransomware Prevention	It monitors all server files, detects ransomware attack characteristics (including the characteristics of ransomware letters and encryption behaviors) in real time, and determines whether the server is under a ransomware attack. Suspicious events are further checked by the graph engine through comprehensive source tracing analysis to determine whether they are ransomware attacks. For details about graph engine detection, see Policy Management Overview. To use the graph engine, you need to enable it and the HIPS policy as well. For details, see Configuring Policies. To use AI ransomware prevention, your Windows agent version must be 4.0.28 or later. This parameter is mandatory only for Windows servers.

7. Click OK.

   If the added protection policy is displayed in the protection policy list, the policy has been added.

Step 2: Enabling Ransomware Prevention

After a protection policy is created, you can enable ransomware prevention by referring to this section.

1. Log in to the management console.
2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
3. Choose Server Protection > Ransomware Prevention.
4. Click the Protected Servers tab.
5. In the Ransomware Prevention Status column of a server, click Enable.

   You can also select multiple servers and click Enable Ransomware Prevention above the server list.

   Figure 2 Enabling
   

6. In the Enable Ransomware Prevention dialog box, confirm the server information and select a protection policy.
   Figure 3 Enabling ransomware prevention
   

7. Click OK.

   If the Ransomware Prevention Status of the server changes to Enabled, ransomware protection is enabled successfully. For details about the ransomware prevention status, see Table 2.

   Table 2 Protection status description

   Ransomware prevention status	Description
   Protected	Ransomware prevention has been enabled.
   Disabled	Ransomware prevention is not enabled.
   Enabling	Ransomware prevention is being enabled.
   Disabling	Ransomware prevention is being disabled.
   Protection failed	Ransomware prevention failed. Rectify the fault by referring to Ransomware Protection Exception.
   Protection degraded	Honeypot files failed to be deployed in some protected directories. As a result, the protection is degraded. Check whether the System group has full control permissions on the protected directories.

FAQ

Ransomware Protection Exception