Ransomware Prevention Question Windows Servers 2019-2022
Stuartm
Newbie ✭
Hi all
We have pretty much moved all clients to Capture Client due to everything I heard about it and SentinalOne and how well it has worked to prevent Ransomware. I don't seem to be able to get a straight answer anywhere if this feature should be and can safely be enabled for file servers. My biggest concern is to do all we can to prevent against Ransomware attacks.
I have the rollback feature enabled on all endpoints but not servers yet. VSS is enabled and set to automatic on all desktops. So what if anything should/could be done safely when it comes to servers? What about app servers where you can be running SQL, or servers with10-100TB - I am unclear on what is included in the rollback and if it could blow up servers or Domain Controllers.
Anyone have any experience SOLID/Accurate info on this?
Secondly - I have concerns with the problems I have seen with the client where it often requires manual removal on endpoints 3.7.4-3.7.9 where you need to boot in safe mode. I have never booted a prod server, Domain Controller/appservers or otherwise to safe mode and have concerns with running Capture on some windows servers for this reason. What is the general consensuis and experience/issues encountered with how challenging it could be to uninstall broken Capture Client agents from Windows servers?
Thanks all!
Answers
Disclaimer: I have no experience with Capture Client.
From: https://www.sonicwall.com/support/knowledge-base/capture-client-rollback-function/210419085519140/
What is Rollback?
Rollback function available with Capture Client restores the endpoint to the last available snapshot, undoing the changes made by the threat. Snapshots are created using Microsoft Windows Virtual Shadowcopy Services (VSS). This option is the most effective response for ransomware mitigation and disaster recovery.
VSS is used by probably 99% of agent-based backup solutions. I'd have no concern enabling CC 'rollback' features for simple servers like DCs, file servers, printer servers, small databases. More complex servers like large databases, 'application X', I'd inquire with support on their recommendations for an 'automated rollback'. Most likely the more complex servers won't be too happy with it and support would recommend not doing automated rollbacks.
Proper Disaster Recovery plans and procedures should not rely on 'automated rollbacks', but it can be used to supplement.
As far as Safe Mode on Windows Servers: these days theres little to no concern. Modern OS' are MUCH more stable than older ones. Having to boot into Safe Mode is only worrisome because programmers have gotten lazy and cannot be bothered to write software that does what its supposed to when you ask it to uninstall.