- Compare Editions
- Product Information
PA File Sight can detect and protect against ransomware attacks caused by infected client computers that encrypt server files.
Detection happens via simple detection methods used by other products, as well as more advanced options. Once a ransomware attack is detected, the server is protected and information is shared with other servers so they are protected as well.
Behavior analytics / activity monitoring
Real-time rules check all file I/O
Real-time alerts, including IP address
Only allow Trusted Applications to run
Automatically block infected users from the server
Servers forward warnings to other servers
Read the step-by-step guide for setting up ransomware detection and protection using PA File Sight.
PA File Sight is a key piece of a layered security model. Servers need anti-virus and other products to protect them from direct attacks from software running on the server. PA File Sight adds a layer of protection by protecting server files from infected client computers that may attempt to encrypt or delete those files.
Some simple products create hidden folders with specific files that users should not touch. Anything that touches those files is considered a threat and alerted on. If the hackers that write the ransomware decide to not encrypt hidden files and folders, this detection method will fail. PA File Sight can support this simple method, but it also supports more robust detection methods.
Sometimes ransom notes with particular file names will be saved to the folder during a ransomware attack. Sometimes the files will be encrypted with a specific file extention (like Resume.docx.encrypted). Simple ransomware detectors watch for these cases, but this won't catch new variants of ransomware that come out later. PA File Sight supports this method, but it can also do better.
Ransomware attacks occur when a compromised client computer:
PA File Sight's advanced monitoring technology watches for a client computer doing reads and writes of many files in a short period of time, and runs alerts when the pattern is seen.
This feature is only available in the Ultra Edition. Compare Ultra vs Lite to see the differences.
The Trusted Application feature checks all file access against a list of rules. This includes when an application is trying to start, which means you can whitelist those applications that are safe, or that act in a safe manner.
PA File Sight can block the client account so it cannot access any more files on the server using the Add to Blocked User List action. This will prevent the compromised client account from accessing files on the server, without affecting other legitimate users still using the server.
Every read, write, delete and move/rename is checked against a list of rules. These rules can consider the file's path, the process accessing the path, what company created the process, whether it is digitally signed, what group the user is in and many more options. These checks are very fast. If file access is blocked alerts can be sent to IT administrators. The Lite version can run these rules on the server. The Ultra version can run them on the server, and also on client computers with the light weight Endpoint agent.
The Blocked Users List is actively shared among servers protected by the same PA File Sight installation, so other servers can be protected from the compromised client before it even attacks them.
PA File Sight can alert system administrators about the attack with critical information such as the user account involved, and the client's IP address/computer name, giving system administrators a quickly respond and investigate.
“Hands down your company is the BEST vendor I have ever worked with in my 41 years working in IT.”Karla P., Northwestern Energy, USA