Starting Anti-Ransomware
Log into your IBM i computer.
On the command line, type STRAR and press the Enter key.
The main Anti-Ransomware screen appears:
|  TPAR                           Anti-Ransomware                       RLDEV     Infection Prevention  Reports   1. How It Works  41. Logs & Reports   3. Threat Prevention Dashboard  Setup   4. Reaction To Attack   51. Activation   52. Refresh Threat Information  6. Inclusion/Exclusion   7. Malware Honeypots   Related Products  61. Object Integrity Control  9. Simulate Attack  62. Antivirus   69. Other Related Modules   Resolving Attacks  11. Work with Detected Attacks  Maintenance  12. Work with ReCycle Bin   81. System Configuration  82. Maintenance Menu  89. Base Support   Selection or command   ===>   F3=Exit F4=Prompt F9=Retrieve F12=Cancel   F13=Information Assistant F16=System main menu    | 
You can perform the following tasks from the options on this screen:
- Setting Reactions to Ransomware Attacks
- Excluding Files and Directories from Scanning
- Managing Default Honeypot Files
- Activating and De-Activating Ransomware Detection
- Updating Anti-Ransomware Definitions
- Simulating a Ransomware Attack
- Examining and Recovering Files in the Recycle Bin
Setting Anti-Ransomware Reactions to Suspected Attacks
To set the thresholds and durations for Anti-Ransomware responses, select 3. Threat Prevention Dashboard. The Threat Prevention Dashboard screen appears, as shown in Setting Thresholds for Ransomware Detection.
To set the methods by which Anti-Ransomware responds to alerts of different levels, select 4. Reaction To Attack. The Reaction To Attack screen appears, as shown in Setting Reactions to Ransomware Attacks.
Setting Inclusions and Exclusions
To set the names and extensions of files and directories that Anti-Ransomware should specifically include in or exclude from checks for ransomware, select 6. Inclusion/Exclusion from the main Anti-Ransomware screen. The Exclusions and Inclusions screen appears:
|  TPRANS                    Exclusions and Inclusions             iSecurity/ATP  System:  RLDEV   Exclusions  1. Files, Directories, Extensions to Exclude  These objects will not be checked for Ransomware  No Ransomware checks will be done   5. Locally Safe File Extensions   These objects will not be considered a result of Ransomware   Use this when a known Ransomware extension is safe in your organization  Other Ransomware checks will be done  Inclusions of Threats that were Just Published  11. Just Published Ransomware File name and Extension   Use this to add Ransomware information that has just became public  Selection or command   ===>   F3=Exit F4=Prompt F9=Retrieve F12=Cancel   F13=Information Assistant F16=System main menu    | 
To set specific files, directories, extensions to exclude, select 1. Files, Directories, Extensions to Exclude from the Exclusions and Inclusions screen. The Files and Directories to Exclude screen appears, as shown in Excluding Files and Directories from Scanning.
To set specific extensions to exclude, select 5. Locally Safe File Extensions from the Exclusions and Inclusions screen. The Well-Known Extensions screen appears, as shown in Excluding Files by Extension.
To set specific file names and extensions to include, select 11. Just Published Ransomware File name and Extension from the Exclusions and Inclusions screen. The Ransomware Files and Extensions screen appears, as shown in Including Files by Name or Extension.
Managing Malware Honeypots
To define and manage malware honeypots, select 7. Malware Honeypots from the main Anti-Ransomware screen. The Malware Honeypots screen appears:
|  TPHONY                        Malware Honeypots                 iSecurity/ATP  System:  RAZLEE3   Work with Honeypots   1. Deploy Honeypots  5. Setup Honeypot Template  Malware honeypots are sacrificial files. If they are accessed, this is   considered as a contributing sign that an attack takes place.   Most Ransomware accesses files sequentially. It is recommended to name  honeypot files in a way which will place them first in the folder list   (i.e. AAA 0011 etc.).   iSecurity honeypot files are recognized even if they are renamed or moved.  ===>   F3=Exit F4=Prompt F9=Retrieve F12=Cancel   F13=Information Assistant F16=System main menu    | 
To set up and manage honeypots, select 1. Deploy Honeypots. The Deploy Honeypots screen appears, as shown in Setting Up Malware Honeypots.
To manage the default set of honeypots, select 5. Setup Honeypot Template. The Setup Honeypot Template screen appears, as shown in Managing Default Honeypot Files.
Activating and De-Activating Anti-Ransomware
To activate and de-activate real-time ransomware detection and to work with related jobs, select 51. Activation from the main Anti-Ransomware screen. The Activation screen appears:
|  TPACTV                            Activation                     iSecurity/ATP  System:  RLDEV   Anti-Ransomware / Anti-Malware   1. Activate Real-Time Detection   2. De-activate Real-Time Detection  5. Work with Subsystem ZRANSOM jobs   7. Work with Subsystem QSERVER Jobs  8. Work with Active QZLS* Jobs   Auto-Activation  11. Activate ZRANSOM Subsystem at IPL   12. Do Not Activate ZRANSOM SBS at IPL   Special Situations   21. Activate NETSERVER with RESET(*YES)  Use this option if joblog for option 1 or 2 says that the restart failed.   Selection or command   ===>   F3=Exit F4=Prompt F9=Retrieve F12=Cancel   F13=Information Assistant F16=System main menu    | 
To activate real-time detection, select 1. Activate Real-Time Detection. The Anti-Ransomware - Activation screen appears, as shown in Activating and De-Activating Ransomware Detection.
To de-activate real-time detection, select 2. De-activate Real-Time Detection. The Anti-Ransomware - De-Activation screen appears, as shown in Activating and De-Activating Ransomware Detection.
To manage jobs from the ZRANSOM subsystem, which Anti-Ransomware uses, select 5. Work with Subsystem ZRANSOM jobs. The Work with Subsystem Jobs screen appears, as shown in Working with ZRANSOM jobs.
To manage jobs from the QSERVER subsystem, which Anti-Ransomware uses, select 7. Work with Subsystem QSERVER Jobs. The standard Work with Subsystem Jobs screen appears, with information on the QSERVER subsystem.
To manage active jobs with names beginning with QZLS*, which Anti-Ransomware uses, select 8. Work with Active QZLS* Jobs. The standard Work with Active Jobs screen appears, showing jobs with names that begin with the string "QZLS".
Select 21. Activate NETSERVER with RESET(*YES) if NETSERVER fails to restart. This option forces a reset and restart of NETSERVER.
Displaying Anti-Ransomware Logs and Reports
To display logs and journaled information for Anti-Ransomware, select 41. Logs and Reports from the main Anti-Ransomware screen. The ATP Logs and Reports screen appears:
|  TPRPRT                        ATP Logs & Reports                iSecurity/ATP  System:  RLDEV   Logs   Query Wizard  1. Display ATP Log   41. Work with Queries  5. Display Journal   42. Run a Query   Anti-Ransomware  Report Scheduler  11. Display Ransomware Compromised  51. Work with Report Scheduler  52. Run a Report Group  Antivirus  21. Display Log (IFS)  22. Work with Log Directory (IFS)  Selection or command   ===>   F3=Exit F4=Prompt F9=Retrieve F12=Cancel   F13=Information Assistant F16=System main menu    | 
To display Anti-Ransomware logs, select 1. Display ATP Log. The standard Display Audit Log Entries (DSPAULOG) screen appears, with the Audit Type field set to *BYENTTYP.
To display journaled information for Anti-Ransomware, select 5. Display Journal. The standard Display Journal (DSPJRN) screen appears, with the Journal field set to SMZV and the Library field set to SMZVDTA.
To display information on files that may have been compromised, select 11. Display Ransomware Compromised. The Display Ransomware Compromised (DSPRWCMP) screen appears, as shown in Displaying Ransomware Compromised Files.
Refreshing Threat Information
To manually refresh threat information, select 52. Refresh Threat Information from the main Anti-Ransomware screen. The Threat Information Refresh screen appears:
|  TPRFRS                    Threat Information Refresh              iSecurity/ATP   System:  RLDEV   1. Refresh   2. Schedule Refresh   3. Refresh Log   9. Display Last Refresh Time  Most current Ransomware does not use fixed extensions. It uses random ones   or ignores extensions completely.   As such, the importance of Threat Information is fading.   iSecurity/Anti-ransomware continues to use it, but also employs other methods   in parallel.   Selection or command   ===>   F3=Exit F4=Prompt F9=Retrieve F12=Cancel   F13=Information Assistant F16=System main menu    | 
NOTE: By default, threat information is automatically updated every two hours.
To refresh threat information on demand, select 1. Refresh. The Update ATP Definitions (UPDATPDFN) screen appears, as shown in Updating Anti-Ransomware Definitions
To schedule a refresh of threat information, select 2. Schedule Refresh. The standard Work with Job Schedule Entries screen appears, with information on the job AV$UPDATP, which performs the update on schedule.
To display the most recent refresh log, select 3. Refresh Log from the Threat Information Refresh screen (STRAV > 52). The refresh log file appears in a file display window:
|  Browse : /SMZVDTA/log/ArRefreshLog.log                                        Record : 1  of 6 by 18  Column : 1  66 by 131  Control :   ....+....1....+....2....+....3....+....4....+....5....+....6....+....7....+....8....+....9....+....0....+....1....+....2....+....3. ************Beginning of data************** 12-02-2025 07:00:01 Not using proxy Success download from http://av.razlee.com/ransomware-fileext-list Success download from http://av.razlee.com/fileextlist.txt Success download all files More details in /smzvdta/log/ArWget.log ************End of Data********************   F3=Exit F10=Display Hex F12=Cancel F15=Services F16=Repeat find F19=Left F20=Right     | 
To display the time of the last update, select 9. Display Last Refresh Time. A window appears showing information on the update:
|  TPRFRS                    Threat Information Refresh              iSecurity/ATP   System:  RAZLEE3   1. Refresh   ..............................................................................  :  Details Of Last Refresh   :  :  Source A: Last Update - 2020-02-12 - 17:39:28 - Extensions:2386 ;   :  :  Files:769   :  :  :  :  :  :  :  :  :  :        Bottom  :  :  F12=Cancel  :  :  :  :............................................................................:  ===> 9   F3=Exit F4=Prompt F9=Retrieve F12=Cancel   F13=Information Assistant F16=System main menu    | 
Exiting Anti-Ransomware
To exit the Anti-Ransomware screen, press the F3 key.
