ZRANSOM Subsystem and Its Jobs

For Anti-Ransomware to function, the ZRANSOM subsystem must be active. This subsystem manages the following two key jobs:

  • TPSRV Job

The TPSRV job is relevant when the "Check Ransomware Asynchronous" mode is enabled. In this asynchronous mode, the TPSRV job performs a significant part of the checks. By offloading these checks from the exit program to this job, the system significantly reduces the response time that a user experiences when accessing the IFS.

  • TPSNDBOX Job

The TPSNDBOX job plays a crucial role in minimizing false alerts. When a file is suspected of being compromised, it is passed to this job (if active) to determine whether it is genuinely compromised or just appears so (as some compressed files, such as PDFs, might). This job attempts to interact with the file to confirm its status.

Additionally, file operations such as moving the file to the recycle bin and executing certain commands that are not thread-safe are handled by this job.

Thread-safe is required to enable the Anti-Ransomware to work in multi-thread mode.

NOTE: Multi-threading provides benefits such as increased throughput, responsiveness, and resource efficiency. When multi-threading is active, the IBM file server runs a single job. If the exit point is not thread-safe, multiple jobs are required, depending on the number of users and shares. To enable multi-threading, all exit programs added for Anti-Ransomware must be thread-safe and declared as such to the operating system.

NOTE: Asynchronous processing moves most checks outside the exit point to reduce response times. This significantly shortens the response time that the user senses when accessing the IFS.

NOTE: False alerts cause inconvenience and encourage the user to disregard alerts or raise the threshold specified for alerts. Modern programs now create files that look as compromised, but they are not. A good example is PDF files. Anti-Ransomware utilizes a sandbox to verify files that are suspected to be compromised. Files are tested in the sandbox to determine if they are genuinely compromised or not. This feature significantly reduces false positive alerts.