Technical Advisory 18 (T9163) Ransomware Defender ECA cluster without Internet access has potential for false positives (2.5.3-18257)
In Release 2.5.3 of Ransomware Defender a threat detector will sometimes match files that should not be considered Ransomware only when the ECA cluster does not have Internet access.
Resolution: A new build of 2.5.3 with number 18257 is available for download now that addresses this issue without any requiremenet to connect ECA clusters to the Internet. Please open a support case and request assistance to apply the patch.
T4076, T4153 Time skew between browser client and Eyeglass appliance may result in unexpected value in the Active Events “Expires” column
The “Expires” time on the Ransomware Defender Active Events list related to Warning event Expiry time or Major Event Delayed Lockout Grace Period is calculated based on timestamp on the Eyeglass appliance and time on the browser client. If there is a time skew between the Eyeglass appliance and the browser client this calculation may result in an unexpected value in the Expires column. For example: -1.
Resolution: Expires time is now displayed in hours and minutes.
T4759 Event Action History uses wrong time zone
The Active Events Detected time displays the date/time based on the client browser settings but the Event Action History uses a different timezone.
Resolution: Active Events and Event Action History now both display date/time based on client browser settings.
T4945 Snapshot Delete Action may not log all deleted Snapshots
When you execute the Delete Snapshot action from the Ransomware Defender Event History the list of deleted snaphshots may be missing some snapshots even though they were actually deleted.
Resolution: Event History now logs all snapshot deletes.
T3724 Manage Services state may not be accurate when connection to Isilon Cluster HDFS is down
If there is a connectivity issue between the Eyeglass ECA and the Isilon cluster HDFS the Manage Services state is inconsistent and may display state as OK, WARN or ERROR.
Resolution: Connectivity issue now shows as ERROR.
T4151 Action Window Event Action History does not show Unreachable Cluster
In the event that a Cluster is unreachable during a Lockout operation, the Active Event state will correctly show ERROR and the Event Action History will show “Partially Locked out” but does not display the cluster that was unreachable or the shares that could not be locked out.
Workaround: Manually inspect the clusters that were locked out. Any missing cluster under management need to review the shares and determine which the affected user has access to and then manually block access.
T3732 Restored permission may be incorrect for consecutive lockouts
In the event that user share access has been locked and subsequently restored and another lockout occurs before Eyeglass inventory has run, the “restore” permissions associated with shares may be the lockout settings from the previous lockout.
Workaround: Permissions should be restored manually by removing the deny permission for the affected user. Use the Event Action History to determine the affected shares.
T4081 Time Zone Mismatch between Ransomware Defender Security Guard Job History and Event History dates
The Ransomware Defender Job History “Run Date” is based on the Eyeglass appliance time zone whereas the Event History “Detected” date is translated to the client browser locale.
Workaround: Translate date for 1 of the dates to the time zone of the other date to correlate Security Guard Jobs to events in the Event History.
T4337 Modifying Ransomware Defender Settings or Running the lock root command removes lock root settings
Lock root settings applied using command
igls admin lockroot --lock_root
.are lost each time a change is made to Ransomware Settings or running the igls admin lockroot command. If lock root was enabled it becomes disabled.
Workaround: Each time a Ransomware Settings change is made, the lock root setting must be reapplied manually. Please contact support.superna.net for assistance.
T4537 Flag as False Positive feature does not properly flag the false positive
Flag as false positive action option is not properly flagging user as false positive.
Workaround: Flag as False Positive feature delivered in 2.5.3. Please refer to documentation here for details.
T4777 Snapshots not created for any Events that are Active when the Snapshot feature is enabled
If there are any Active Events when the Create Snapshot option is enabled, no Snapshots will be created for these already Active Events.
Workaround: Enable the Create Snapshot option when there are no Active Events. Events raised after the Create Snapshot option was enabled will have associated Snapshots created for affected shares.
T4819 Empty Event History List
There may be conditions where having other windows open such as the Event Action History may result in the Event History list being displayed with no entries.
Workaround: Close all Ransomware Defender related windows and then re-open the Ransomware Defender -> Event History tab.
T4950 Alarm text for failed Snapshot delete references Snapshot create
The alarm that is raised when a Snapshot delete fails contains the text “Failed to create snapshots” instead of “Failed to delete snapshots”.
Workaround: Check the Action Log for the event to determine whether a snapshot create or delete has failed.
T4955 Subsequent Create Snapshot action will delete reference to previously created snapshots if an error occurs during the create
The Create Snapshot action can be executed multiple times for a given event. If it has been run previously and then run again and the subsequent run has an error on creating any snapshot, the Snapshots list only contains the snapshots from the last run. Previously created snapshots are no longer displayed.
Workaround: Check the Event Action History log for complete list of created snapshots.
T5024 Major Events may reappear in the Active Events list after being recovered
An event which crosses the Major threshold and is recovered to Historical Events without being locked out (Stop lockout timer) may appear in the Active Events list again immediately after being recovered (Mark as recovered).
Workaround: Stop the lockout timer and Mark the event as recovered again. This may have to be repeated several times. Locking the affected user out followed by Restore User Access and then archiving the event as recovered may also resolve this issue.
T5756 Error on restoring permissions does not raise an alarm
If permissions restore action encounters an error there is no associated alarm notification.
Workaround: Review the Action History for the Event to confirm that all restores were successful.
T5954 Events that are promoted to Major due to multiple event “Upgrade to Major” are locked out immediately
For the case where there are multiple Warning events that cross the “Upgrade to Major” limit, when they are promoted to Major they are locked out right away instead of waiting for the configured Grace Period before locking out.
Workaround: The occurrence of this behaviour can be reduced by setting the “Upgrade to Major” threshold to a high number of users.
T6728 Extensions with special characters cannot be removed from the ignore list
Extensions have been added to the extension ignore list using the igls rsw allowedfiles add --extensions command cannot be removed from the ignore list using the igls rsw allowedfiles remove --extensions command.
Workaround: Contact Superna Support at support.superna.net to assist with removing these extensions.
T7062 User may not be locked out in a multi-user security event
It may occur that a user is only partially locked out when a multi-user lockout is occurring due to an error response from the Isilon cluster during user resolution in Active Directory. In this case the error is not displayed in the Eyeglass event history.
Workaround: The Event History will contain the shares that were successfully locked out. Should events continue to be generated against the user for the unlocked share, it may be locked out a a result of subsequent event. User may also be locked out manually by adding the deny permission manually to share that was not locked out.
T7190 Active Events may show State of Warning instead of Monitor when Monitor Mode is enabled
Instead of the event state being Monitor in Active Events when Monitor Mode is enabled, the event state may incorrectly display as Warning instead.
Workaround: None Required. This is a display issue only. Verify that Monitor Mode is enabled on the Ransomware Defender / Settings tab.
T7525 Affected Files also shows Active Auditor Affected Files
When viewing the Affected Files for a Ransomware Defender security event, any files associated wtih an Active Auditor event that has occurred at the same time are also displayed.
Workaround: Download the csv file and use the path associated with the Ransomware Defender event from the GUI to filter the results.
T8437 Security Event Affected Files csv may not contain all Affected Files
The download csv created for Active Auditor event may not contain all Affected Files (up to 50,000 record limit).
Workaround: If Easy Auditor product also installed, use the Report Query Builder to build a custom report taking the relevant user, path and time period from the event information in the Ransomware Defender GUI.
T8715 Allowed file configuration to ignore well know extensions not preserved on upgrade from 2.5.2 to 2.5.3
If Ransomware Defender has been configured to ignore well known Ransomware extensions using the igls rsw allowedfiles command, the configuration is lost on upgrade.
Workaround: Prior to upgrade run the command igls rsw allowedfiles command on the Eyeglass appliance and record current 2.5.2 settings. Post upgrade to 2.5.3 use the igls rsw allowedfiles add --extensions command as documented here to reconfigure.
T4197 Security Guard Error for Unlicensed Cluster
Security Guard fails when Isilon Cluster selected to run is not licensed.
Since Ransomware Defender dynamically picks priority Isilon Clusters to license (refer to Eyeglass Ransomware Defender Admin Guide for details on selection of licensed cluster) for the case where Eyeglass is managing more clusters than there are Ransomware Defender Agent Licenses, one cannot be sure the selected Cluster in Security Guard is actually licensed at the run time.
Workaround: Deploy same number of Ransomware Defender Agent Licenses as the number of Isilon Clusters being managed by Eyeglass.
T8889 Cannot enable Security Guard with default schedule for on a newly deployed 2.5.3 ovf
The drop down list to schedule security has an invalid default.
Workaround: Click the drop down and set a valid schedule.
T4228 Security Guard Temporary Errors
Security Guard may occasionally error with 0 files written.
Workaround: This condition typically clears it self on the next Security Guard run. It does not affect workflow for a real security event.
If it does not clear, follow these steps to recover:
Archive as Unresolved
Run Security Guard manually to ensure that it is operational again.
T4965 Security Guard User Authentication Fails
When provisioning the Security Guard Active Directory User and password, Eyeglass checks that the username name and password entered can be successfully authenticated. It may occur on initial configuration that you will see the message “user could not be authenticated” even though the username and password are correct.
Workaround: After confirming that the username and password are correct, subsequent provisioning is successful.
T7574 Flag as False Positive Option should not be available for Security Guard Events
Security Guard provides automated end to end validation of Ransomware detection, lockout and restore and therefore should not be flagged as false positive. The Flag as False positive option is currently available to be selected for Security Guard events and should not be.
Workaround: Manual process required to prevent applying Flag as False positive to Security Guard events.
T4192 Manage Services status not accurate after ECA Node Down
After an ECA node has been powered off / gone down and subsequently powered back on and rejoined to the ECA cluster it continues to display the Inactive state in the Eyeglass Manage Services window even when it is active again and healthy.
Workaround: Once the node is back up, remove it from the Manage Services window by selecting the X in the node’s row. Wait 1 to 2 minutes and the service should be rediscovered with the correct state.
T4230 Blank Ransomware Defender Window
After archiving an Event the Ransomware Defender window tabs may appear empty.
Workaround: Close and reopen the Ransomware Defender window.
T4183 Refresh does not work for Ransomware Defender multi-page lists
Ransomware Defender window with multiple pages is not updated by Refresh except for the first page.
Workaround: To update the list go back to the first page of the list.
T4336 Eyeglass Restore does not restore Security Guard Job History
Security Guard historical log files are not restored when you restore configuration from backup.
Workaround: None available.
T4549 Ransomware Defender Settings Submit button enabled when no changes made
When the Ransomware Defender Settings window is opened the Submit button is enabled even though no changes have been made to any settings. If you navigate to another view and come back to Settings, the Submit button is then correctly disabled until a change is made on the page.
Workaround: None required.
T6617 Isilon Directory Selector does not display hidden directories
Directories that start with a dot (.) are not displayed in the Isilon Directory Selector.
Workaround: Use the Isilon Directory Selector to enter \ifs\ and then enter the remainder of the path manually.
T8807 Deleting cluster from Eyeglass does not clear associated Ignore List and Wiretap settings
When an Isilon cluster is deleted from management in Eyeglass, any associated Ransomware Defender Ignore List or Wiretap settings are not cleared.
Workaround: Manually delete Ignore List and Wiretap settings for deleted clusters.
T6914 Some extensions still result in lockout when added to the ignore list
For the following well-known extensions, a lockout will still occur even if these extensions have been added to the extension ignore list using the igls rsw allowedfiles add --extensions command:
Workaround: Alternate Ignore capabilities for User, Path or IP address documented here may be used to workaround this issue.
T7191 SMB service not enabled when access restored when lockroot is true
If you have Ransomware Defender configured to disable SMB service is a root user event is detected (see Ransomware Admin guide here, section Securing Root User on Isilon ), when you restore user access the SMB service is not automatically enabled.
Workaround: Manually enable SMB service on Isilon once access is restored and you are ready to resume file access for SMB users.
T7670 Restoring user access via CLI does not update status of Security Event in the GUI
If you have restored user access after a lockout using the CLI command "igls rsw restoreaccess set --user=DOMAIN\\user ", the associated Security Event in the GUI will not be updated and remain in active state.
Workaround: Open the Actions window for the active event, enter a comment that access has been manually restored and then archive the event.
T8744 No event processing once Signal Strength passes 2 times Critical Threshold
Once a Security Event or Active Audit event has passed 2 times the Critical threshold configured in Ransomware Defender Settings, there is no further processing of Signals for the associated user. In all cases actions based on Critical threshold settings would have been already taken prior to reaching the 2x level.
For the case where both Ransomware Defender and Easy Auditor are licensed, reaching Signals processed count of 2 times Ransomware Critical threshold for a particular user will stop processing events for both Ransomware Defender and Active Auditor. This would only be a factor in the unlikely event that a Ransomware Security event and Active Audit event (Mass Delete, DLP) occurred at the same time for the same user.
Workaround: None Available.
T8986 NFS export lockout cannot be restored
An NFS export that has been locked out due to Ransomware Defender detecting a security event cannot be restored using Superna Eyeglass. You are able to select the Restore option and the Event History indicates that the permissions are restored but in fact the NFS export will still be in read-only state.
Workaround: On lockout NFS clients are moved to "Always Read-Only Clients". They will need to be manually moved to the correct access type using Isilion GUI or CLI to modify the export.