Starting Anti-Ransomware
Log into your IBM i computer.
On the command line, type STRAR and press the Enter key.
The main Anti-Ransomware screen appears:
| TPAR Anti-Ransomware RLDEV Infection Prevention Reports 1. How It Works 41. Logs & Reports 3. Threat Prevention Dashboard Setup 4. Reaction To Attack 51. Activation 52. Refresh Threat Information 6. Inclusion/Exclusion 7. Malware Honeypots Related Products 61. Object Integrity Control 9. Simulate Attack 62. Antivirus 69. Other Related Modules Resolving Attacks 11. Work with Detected Attacks Maintenance 12. Work with ReCycle Bin 81. System Configuration 82. Maintenance Menu 89. Base Support Selection or command ===> F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=System main menu |
You can perform the following tasks from the options on this screen:
- Setting Reactions to Ransomware Attacks
- Excluding Files and Directories from Scanning
- Managing Default Honeypot Files
- Activating and De-Activating Ransomware Detection
- Updating Anti-Ransomware Definitions
- Simulating a Ransomware Attack
- Examining and Recovering Files in the Recycle Bin
Setting Anti-Ransomware Reactions to Suspected Attacks
To set the thresholds and durations for Anti-Ransomware responses, select 3. Threat Prevention Dashboard. The Threat Prevention Dashboard screen appears, as shown in Setting Thresholds for Ransomware Detection.
To set the methods by which Anti-Ransomware responds to alerts of different levels, select 4. Reaction To Attack. The Reaction To Attack screen appears, as shown in Setting Reactions to Ransomware Attacks.
Setting Inclusions and Exclusions
To set the names and extensions of files and directories that Anti-Ransomware should specifically include in or exclude from checks for ransomware, select 6. Inclusion/Exclusion from the main Anti-Ransomware screen. The Exclusions and Inclusions screen appears:
| TPRANS Exclusions and Inclusions iSecurity/ATP System: RLDEV Exclusions 1. Files, Directories, Extensions to Exclude These objects will not be checked for Ransomware No Ransomware checks will be done 5. Locally Safe File Extensions These objects will not be considered a result of Ransomware Use this when a known Ransomware extension is safe in your organization Other Ransomware checks will be done Inclusions of Threats that were Just Published 11. Just Published Ransomware File name and Extension Use this to add Ransomware information that has just became public Selection or command ===> F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=System main menu |
To set specific files, directories, extensions to exclude, select 1. Files, Directories, Extensions to Exclude from the Exclusions and Inclusions screen. The Files and Directories to Exclude screen appears, as shown in Excluding Files and Directories from Scanning.
To set specific extensions to exclude, select 5. Locally Safe File Extensions from the Exclusions and Inclusions screen. The Well-Known Extensions screen appears, as shown in Excluding Files by Extension.
To set specific file names and extensions to include, select 11. Just Published Ransomware File name and Extension from the Exclusions and Inclusions screen. The Ransomware Files and Extensions screen appears, as shown in Including Files by Name or Extension.
Managing Malware Honeypots
To define and manage malware honeypots, select 7. Malware Honeypots from the main Anti-Ransomware screen. The Malware Honeypots screen appears:
| TPHONY Malware Honeypots iSecurity/ATP System: RAZLEE3 Work with Honeypots 1. Deploy Honeypots 5. Setup Honeypot Template Malware honeypots are sacrificial files. If they are accessed, this is considered as a contributing sign that an attack takes place. Most Ransomware accesses files sequentially. It is recommended to name honeypot files in a way which will place them first in the folder list (i.e. AAA 0011 etc.). iSecurity honeypot files are recognized even if they are renamed or moved. ===> F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=System main menu |
To set up and manage honeypots, select 1. Deploy Honeypots. The Deploy Honeypots screen appears, as shown in Setting Up Malware Honeypots.
To manage the default set of honeypots, select 5. Setup Honeypot Template. The Setup Honeypot Template screen appears, as shown in Managing Default Honeypot Files.
Activating and De-Activating Anti-Ransomware
To activate and de-activate real-time ransomware detection and to work with related jobs, select 51. Activation from the main Anti-Ransomware screen. The Activation screen appears:
| TPACTV Activation iSecurity/ATP System: RLDEV Anti-Ransomware / Anti-Malware 1. Activate Real-Time Detection 2. De-activate Real-Time Detection 5. Work with Subsystem ZRANSOM jobs 7. Work with Subsystem QSERVER Jobs 8. Work with Active QZLS* Jobs Auto-Activation 11. Activate ZRANSOM Subsystem at IPL 12. Do Not Activate ZRANSOM SBS at IPL Special Situations 21. Activate NETSERVER with RESET(*YES) Use this option if joblog for option 1 or 2 says that the restart failed. Selection or command ===> F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=System main menu |
To activate real-time detection, select 1. Activate Real-Time Detection. The Anti-Ransomware - Activation screen appears, as shown in Activating and De-Activating Ransomware Detection.
To de-activate real-time detection, select 2. De-activate Real-Time Detection. The Anti-Ransomware - De-Activation screen appears, as shown in Activating and De-Activating Ransomware Detection.
To manage jobs from the ZRANSOM subsystem, which Anti-Ransomware uses, select 5. Work with Subsystem ZRANSOM jobs. The Work with Subsystem Jobs screen appears, as shown in Working with ZRANSOM jobs.
To manage jobs from the QSERVER subsystem, which Anti-Ransomware uses, select 7. Work with Subsystem QSERVER Jobs. The standard Work with Subsystem Jobs screen appears, with information on the QSERVER subsystem.
To manage active jobs with names beginning with QZLS*, which Anti-Ransomware uses, select 8. Work with Active QZLS* Jobs. The standard Work with Active Jobs screen appears, showing jobs with names that begin with the string "QZLS".
Select 21. Activate NETSERVER with RESET(*YES) if NETSERVER fails to restart. This option forces a reset and restart of NETSERVER.
Displaying Anti-Ransomware Logs and Reports
To display logs and journaled information for Anti-Ransomware, select 41. Logs and Reports from the main Anti-Ransomware screen. The ATP Logs and Reports screen appears:
| TPRPRT ATP Logs & Reports iSecurity/ATP System: RLDEV Logs Query Wizard 1. Display ATP Log 41. Work with Queries 5. Display Journal 42. Run a Query Anti-Ransomware Report Scheduler 11. Display Ransomware Compromised 51. Work with Report Scheduler 52. Run a Report Group Antivirus 21. Display Log (IFS) 22. Work with Log Directory (IFS) Selection or command ===> F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=System main menu |
To display Anti-Ransomware logs, select 1. Display ATP Log. The standard Display Audit Log Entries (DSPAULOG) screen appears, with the Audit Type field set to *BYENTTYP.
To display journaled information for Anti-Ransomware, select 5. Display Journal. The standard Display Journal (DSPJRN) screen appears, with the Journal field set to SMZV and the Library field set to SMZVDTA.
To display information on files that may have been compromised, select 11. Display Ransomware Compromised. The Display Ransomware Compromised (DSPRWCMP) screen appears, as shown in Displaying Ransomware Compromised Files.
Refreshing Threat Information
To manually refresh threat information, select 52. Refresh Threat Information from the main Anti-Ransomware screen. The Threat Information Refresh screen appears:
| TPRFRS Threat Information Refresh iSecurity/ATP System: RLDEV 1. Refresh 2. Schedule Refresh 3. Refresh Log 9. Display Last Refresh Time Most current Ransomware does not use fixed extensions. It uses random ones or ignores extensions completely. As such, the importance of Threat Information is fading. iSecurity/Anti-ransomware continues to use it, but also employs other methods in parallel. Selection or command ===> F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=System main menu |
NOTE: By default, threat information is automatically updated every two hours.
To refresh threat information on demand, select 1. Refresh. The Update ATP Definitions (UPDATPDFN) screen appears, as shown in Updating Anti-Ransomware Definitions
To schedule a refresh of threat information, select 2. Schedule Refresh. The standard Work with Job Schedule Entries screen appears, with information on the job AV$UPDATP, which performs the update on schedule.
To display the most recent refresh log, select 3. Refresh Log from the Threat Information Refresh screen (STRAV > 52). The refresh log file appears in a file display window:
| Browse : /SMZVDTA/log/ArRefreshLog.log Record : 1 of 6 by 18 Column : 1 66 by 131 Control : ....+....1....+....2....+....3....+....4....+....5....+....6....+....7....+....8....+....9....+....0....+....1....+....2....+....3. ************Beginning of data************** 12-02-2025 07:00:01 Not using proxy Success download from http://av.razlee.com/ransomware-fileext-list Success download from http://av.razlee.com/fileextlist.txt Success download all files More details in /smzvdta/log/ArWget.log ************End of Data******************** F3=Exit F10=Display Hex F12=Cancel F15=Services F16=Repeat find F19=Left F20=Right |
To display the time of the last update, select 9. Display Last Refresh Time. A window appears showing information on the update:
| TPRFRS Threat Information Refresh iSecurity/ATP System: RAZLEE3 1. Refresh .............................................................................. : Details Of Last Refresh : : Source A: Last Update - 2020-02-12 - 17:39:28 - Extensions:2386 ; : : Files:769 : : : : : : : : : : Bottom : : F12=Cancel : : : :............................................................................: ===> 9 F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=System main menu |
Exiting Anti-Ransomware
To exit the Anti-Ransomware screen, press the F3 key.