Hi,
Thank you for the informative reply. I will test this further, but I'm afraid that it will be dificult to define a 'normal' file server usage pattern. I will also take a good look at the other features of EventSentry.
Best greetings,
Koen
Hello Koen,
This method primarily targets high volumes of file activity. However, the article already mentions that it may not be suitable for file servers:
"This doesn’t work so well on a file server, where potentially hundreds of users are constantly modifying files. It would take some time to come up with a good baseline (how many file modifications are considered ‘normal’)."
You could consider adjusting the alert threshold. For instance, if users typically copy a folder containing 50 pictures, try increasing the Threshold Interval from 30 to 55.
If copying pictures is a frequent occurrence for your users, it might be worth filtering out .jpg extensions to reduce unnecessary alerts.
Keep in mind, this is a "nuclear" approach. It monitors any file activity exceeding 30 changes within 3 minutes, and it cannot distinguish between ransomware encryption and regular file copying. Any event that meets the criteria will trigger an alert.
For a more refined solution, check out this better approach outlined in the article HERE. Additionally, the full-featured version of EventSentry is now available for free for home labs. You can request your license HERE
Koen Gryspeerdt
Hi
I am testing EventSentry Light as a tool to detect and stop ransomware. I followed the procedure as described in ‘Defeating Ransomware with EventSentry & Auditing (Part 3/3)’. This seems to stop ransomware, but the number of false positives is way too high. As soon as a user copies a relatively large number of files to the server (e.g. a series of photos from a camera) this is also detected as ransomware. Am I missing something?
Best greetings,
Koen