We are happy to introduce a new feature to our WithSecure Elements EPP for Servers product, called Server Share Protection, which significantly enhances the existing ransomware protection.
Background
For several years already, our products have already had outstanding protection against ransomware and other malware, with our award-winning detection technologies. DeepGuard, and more recently DataGuard have protected our customers against advanced threats, including ransomware, protecting both Workstations and Servers against malicious modification of files, protecting the customer and other business critical data.
These protections work best when both servers and endpoints have managed Endpoint Protection installed, such as WithSecure™ Elements Endpoint Protection, but additional protection is needed if the endpoint is unmanaged. As an example, the organization might allow users to connect to their file-servers with their own devices, known as “Bring Your Own Device”, or more simply BYOD.
Traditional anti-malware solutions analyze actions on the device itself, protecting the user from malware on that device. WithSecure™ Server Share Protection works differently, as it can monitor server activity originating on another device, such as BYOD, and protect against those activities before they infect the files on the server.
It can also revert any changes made to server content made by the user during the current session, effectively cancelling everything the user has done. In addition, the user can be blocked from making further changes. This protection works in the case where the bad activity from malware or even user activity is happening on a device without WithSecure protection.
How it works
This new feature helps protect network file-shares, by monitoring activity on those shares. It can catch malicious actions that originate on connected devices, and by doing this, can help prevent the spread of the malware to other devices in the organization’s network / environment. This is especially important in protecting network shares from advanced malware such as ransomware.
But that’s not all. With the latest technologies that have been added to the Elements EPP for Servers product running on Windows Servers, it is possible to immediately return the content to the last known-good version. This means that if a workstation does get infected by a ransomware, files on the server are not compromised.
Many other anti-malware vendors handle the rollback by using functionality built into Windows, called Shadow Copies. This requires that there is a large amount of extra disk space allocated for a full backup of the data, which naturally requires more hardware investments.
WithSecure have noticed that in many cases ransomware or other malware will actively try to disable this functionality, rendering the Shadow Copy backups unusable. WithSecure’s approach is novel, as it only backs up what is needed, and only for the period when it is needed. If there is a need to restore the previous version, this backup data is used, or otherwise removed, releasing any storage space needed and removing the need for additional hardware investments for extra storage space.
And because of the way the new functionality work, the user of the connected device can be blocked from writing further changes to the file server, preventing any outbreak from becoming worse.
Visibility of attacks
Advanced reporting of the problem to the organization’s Security Administrator will help to identify the root cause and actually fix the problem without needing to disconnect or reimage large number of computers from the organization’s network. With Server Share Protection, the administrator will be able to get a comprehensive view of what happened and when, allowing them to take appropriate actions, whether it is blocking the user or device, or training the user in better ways to use the system, or even to install missing anti-malware or endpoint protection software to the device.
If the original content was restored, the administrator will also see that
The new technology that has been introduced comes as an addition to the existing layered protection against ransomware and other advanced threats provided by WithSecure, and supplements and enhances those to bring our best-ever protection for servers. Cloud transformation projects can also be protected by our Elements Collaboration Protection product that extends the protection to cloud-based Microsoft SharePoint and OneDrive file storages and shares.
