Managing Ransomware Protection Policies

Scenarios

After ransomware prevention is enabled, you can manage its policies as needed. Supported operations include:

• Changing a Policy: If the current protection policy bound to a server cannot meet your requirements, you can bind another policy to the server.
• Modifying a Policy: If you need to modify specific settings (such as the honeypot protection directories or excluded directories), you can modify them in an existing protection policy. When HSS automatically enables ransomware prevention, a protection policy is configured by default. (The default policy for Linux is tenant_linux_anti_default_policy, and that for Windows is tenant_Windows_anti_default_policy.) You can modify them as needed.
• Deleting a Policy: If a protection policy is discarded and not associated with any servers, you can delete the policy.

Changing a Policy

1. Log in to the management console.
2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
3. Choose Server Protection > Ransomware Prevention.
4. Click the Protected Servers tab.
5. Select a server and click Change Policy.

   You can also choose More > Change Policy in the Operation column of a server.

6. In the Change Policy dialog box, select a protection policy.
7. Click OK.

Modifying a Policy

1. Log in to the management console and go to the HSS page.
2. In the navigation pane, choose Server Protection > Ransomware Prevention. Click the Policies tab.
3. Click Edit in the Operation column of a policy. Edit the policy configurations and associated servers. For more information, see Table 1.
   The following uses a Linux server as an example. On the Protected Servers tab, you can also click the name of the policy associated with the server to edit the policy.

   Table 1 Protection policy parameters

   Parameter	Description	Example Value
   Policy	Policy name.	Anti_Ransomware
   Action	How an event is handled. Report alarm and isolate: If a ransomware attack is detected, an alarm will be generated, and the process that attempts to encrypt files will be blocked. Report alarm: If a ransomware attack is detected, only an alarm will be reported.	Report alarm and isolate
   Dynamic Honeypot Protection	A honeypot is a file that simulates actual service files. It can induce attackers and capture ransomware encryption behaviors in real time. Generally, dynamic and static honeypots are used together for comprehensive protection. After honeypot protection is enabled, the system will deploy honeypot files in honeypot directories and other random locations. (Honeypot files will not be deployed in the excluded directories specified by users). The honeypot files deployed in random locations are automatically deleted every 12 hours and then randomly deployed again. A honeypot file occupies a few server resources. You can configure excluded directories, and the honeypot files will not be deployed in them. Dynamic honeypots are more flexible and can better detect ransomware attacks. This parameter is mandatory only for Linux servers.	Enabled
   Honeypot File Directories	Static honeypots are deployed in specified directories. You can add important service directories or data directories as protected directories. Honeypot files will be deployed in these specified directories (excluding their subdirectories). They can distract attackers and slow down their attacks on real resources. Separate multiple directories with semicolons (;). You can configure up to 20 directories. This parameter is mandatory for Linux servers and optional for Windows servers.	Linux: /root;/home;/opt;/var;/etc Windows: C:\software
   Excluded Directory (Optional)	Directory that does not need to be protected by honeypot files. Separate multiple directories with semicolons (;). You can configure up to 20 excluded directories.	Linux: /bin;/boot;/lib;/lib32;/lib64;/lost+found;/proc;/run;/sbin;/selinux;/srv;/sys;/usr/bin;/usr/local/bin;/usr/local/sbin;/usr/sbin;/var/lib/container;/var/lib/kubelet;/var/lib/ntp/proc Windows: C:\software\test
   Protected File Type	Types of files to be protected. More than 70 file formats can be protected, including databases, containers, code, certificate keys, and backups. This parameter is mandatory only for Linux servers.	Select all
   (Optional) Process Whitelist	Paths of the process files that can be automatically ignored during the detection, which can be obtained from alarms. This parameter is mandatory only for Windows servers.	-
   Associate Servers	Information about the server associated with the policy. If you want to disassociate the server (disable ransomware protection), you can delete the policy.	-
   AI Ransomware Prevention	It monitors all server files, detects ransomware attack characteristics (including the characteristics of ransomware letters and encryption behaviors) in real time, and determines whether the server is under a ransomware attack. Suspicious events are further checked by the graph engine through comprehensive source tracing analysis to determine whether they are ransomware attacks. For more information about graph engine detection, see Policy Management Overview. To use the graph engine, you need to enable it and the HIPS policy as well. For details, see Configuring Policies. To use AI ransomware prevention, your Windows agent version must be 4.0.28 or later. This parameter is mandatory only for Windows servers.

4. Confirm the policy information and click OK.

Deleting a Policy

1. Log in to the management console and go to the HSS page.
2. In the navigation pane, choose Server Protection > Ransomware Prevention. Click the Policies tab.
3. Click Delete in the Operation column of the target policy.
   

   After a policy is deleted, the associated servers are no longer protected. Before deleting a policy, you are advised to bind its associated servers to other policies.

4. Confirm the policy information and click OK.