Setting Thresholds for Ransomware Detection
Anti-Ransomware tests interactions for ransomware attacks in several different ways. Some give a clear indication that an attack is in progress. Others note suspicious activity that suggests that an attack may be happening. You can set thresholds for response, based on:
- the type of activity
- the certainty that an attack is in progress, and
- the number of times in a set number of seconds that the activity has been detected.
To set the thresholds and durations for Anti-Ransomware responses, select 3. Threat Prevention Dashboard from the main Anti-Ransomware screen (STRAR) as shown in Starting Anti-Ransomware. The Threat Prevention Dashboard screen appears:
| *Active* Threat Prevention Dashboard RLDEV Number of React Detected Attack Checks Y/N All indicators of a ransomware attack detected . . . 3 Y Some indicators of a ransomware attack detected . . 5 Y Strong indication of zero-day (unknown) ransomware attack. 9 Y Suspicious honeypot activity detected . . . . . . . . . . 10 Y Checks are not equal to files. Several checks may correspond to a single file. Additional Settings Period for number of checks . . . . . . . . . . . . . . . 30 Seconds Encryption detection certainty . . . . . . . . . . . . . . 50 Percent Lowering the detection certainty may result in more false positive detections. Important! o Keep this product active at all times. o Ensure you always have proper backups. This is a must. o Try not to pay ransom. Paying confirms that ransomware works, but does not guarantee that you will be able to remove the encryption. F3=Exit |
Anti-Ransomware can react to threats based on several levels of detection, as shown in the first column on the screen:
All indicators of a ransomware attack detected
The activity matches every indicator that a known type of ransomware attack is in progress.
Some indicators of a ransomware attack detected
The activity matches some, but not all, indicators that a known type of ransomware attack is in progress.
Strong indication of zero-day (unknown) ransomware attack
The activity matches several general indicators of ransomware attacks, although it doesn't specifically match those of a known attack type.
Suspicious honeypot activity detected
A honeypot trap (as shown in Setting Up Malware Honeypots) has detected attempts to access decoy files that you have set up to spot suspected attacks.
For each of those items, if Anti-Ransomware detects:
- the number of suspected attacks shown in its Number of Checks field
- of that level of detection
- within the number of seconds shown in the Period for number of checks field,
- with the degree of certainty shown in the Encryption detection certainty field,
- it triggers the reaction indicated in its React Y/N field (as set in Setting Reactions to Ransomware Attacks).
In the example shown here, if Anti-Ransomware detects
- even one instance where
- all indicators show that known ransomware is attacking or
- three of the indicators show that known ransomware is attacking
- within a period of 30 seconds
- with 50% certainty,
- it triggers a reaction.
In the Encryption detection security field, a higher number means that, to trigger a reaction, Anti-Ransomware must be more certain of what it has detected. To reduce false alarms, keep its value above 50.