Updated on 2023-02-16 GMT+08:00

Creating a Protection Policy

To protect your servers from ransomware, you can create a policy, set critical file paths in the policy, and enable machine learning.

Machine learning automatically collects and aggregates normal application behavior on the servers associated with the policy. Operations on files performed by untrusted applications or applications that are not specified in the policy will trigger alarms.

Ransomware prevention is a trial function in the current version. To use stronger functions, purchase HSS (New).

Prerequisites

  • The enterprise or WTP edition HSS has been enabled.
  • The Agent Status of the Linux server is Online.

Creating a Linux Protection Policy

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
  3. On the Ransomware page, click the Policies tab, and click Create Policy, as shown in Figure 1.

    Figure 1 Linux protection policy page

  4. Set policy details, as shown in Figure 2.

    Figure 2 Configuring the Linux protection policy
    Table 1 Policy parameters

    Parameter

    Description

    Policy Name

    Ransomware prevention policy name

    Bait File

    If you enable the bait file function, HSS will put a bait file on each protected server to trap and kill ransomware.

    Intelligent Learning Period

    Select 7 days, 15 days, or 30 days.

    HSS uses a machine learning engine to identify if an application has possibly tampered with any of the files on your servers.

    Action

    Action taken when suspicious operations on monitored files are detected. For example, report alarms.

    Monitored Locations

    Path of monitored files. Multiple paths are separated by semicolons (;). Operations on the files in these paths are monitored.

    Example: /opt;/opt/sap

    NOTE:

    You are advised to configure this parameter to specific file paths. To protect all paths, set this parameter to --.

    File Types

    Extension of monitored files. Multiple paths are separated by semicolons (;).

    Example: sql;txt;sh

  5. Click Add Server. In the displayed Add Server dialog box, select associated servers, as shown in Figure 3.

    Figure 3 Associating Linux servers

  6. Click OK.

    • You can check the name, IP address, and system of the associated server.
    • To remove an associated server, click Delete in the Operation column.

  7. Click Create and Learn.

    Created policies will be displayed in the policy list, as shown in Figure 4.

    Figure 4 Linux protection policy list
    Table 2 Policy list parameters

    Parameter

    Description

    Policy Name

    Intelligent learning policy name

    Servers Protected

    Number of servers protected by the policy

    Servers Being Studied

    Number of servers where the learning is performed

    Trusted Processes

    Number of trusted processes. After the intelligent learning policy takes effect, HSS automatically identifies and counts trusted processes on your server.

    Monitored Locations

    Locations of monitored files

    File Types

    Extensions of monitored files

    Action

    Action taken when suspicious operations on monitored files are detected.

    Example: Report alarm

    Bait File

    • Enabled: The bait file function is enabled. HSS puts a bait file on each protected server. Ransomware attempting to encrypt bait files will trigger alarms immediately.
    • Disabled: The bait file function is disabled.

Creating a Windows Protection Policy

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
  3. On the Ransomware page, click the Policies tab, and click Create Policy, as shown in Figure 5.

    Figure 5 Windows protection policy list

  4. Set policy details, as shown in Figure 6.

    Figure 6 Configuring the Windows protection policy
    Table 3 Basic information parameters

    Parameter

    Description

    Policy Name

    Ransomware prevention policy name

    Intelligent Learning Period

    Select 7 days, 15 days, or 30 days.

    HSS uses a machine learning engine to identify if an application has possibly tampered with any of the files on your servers.

    Action

    Action taken when suspicious operations on monitored files are detected. For example, report alarms.

    Monitored Locations

    Path of monitored files. Multiple paths are separated by semicolons (;). Operations on the files in these paths are monitored.

    If no paths are specified, all the files on the servers associated to the policy are monitored.

    File Types

    Extension of monitored files. Multiple paths are separated by semicolons (;).

  5. Click Add Server. In the displayed Add Server dialog box, select associated servers, as shown in Figure 7.

    Figure 7 Associating Windows servers

  6. Click OK.

    • You can check the name, IP address, and system of the associated server.
    • To remove an associated server, click Delete in the Operation column.

  7. Click Create and Learn.

    Created policies will be displayed in the policy list, as shown in Figure 8.

    Figure 8 Windows protection policy list
    Table 4 Policy list parameters

    Parameter

    Description

    Policy Name

    Intelligent learning policy name

    Servers Protected

    Number of servers protected by the policy

    Servers Being Studied

    Number of servers where the learning is performed

    Trusted Processes

    Number of trusted processes. After the intelligent learning policy takes effect, HSS automatically identifies and counts trusted processes on your server.

    Monitored Locations

    Path of monitored files. Multiple paths are separated by semicolons (;). Operations on the files in these paths are monitored.

    If no paths are specified (-- is displayed), all the files on the servers associated to the policy are monitored.

    File Types

    Extension of monitored files. Multiple paths are separated by semicolons (;).

    Action

    Action taken when suspicious operations on monitored files are detected.

    For example, report alarms.