Automaticallty Block Ransomware Infected Users From the Server
An important approach to protecting a server from ransomware is to automatically stop the compromised user account from harming any more files. This can be done with the Add to Blocked User List action. You can find more information here:
If you add this action to the above monitors, then as soon as the monitor fires actions, the user account that triggered the action will get added to the Blocked User List, and all attempts they make to create, read, write or delete files on the server will be blocked. The account will also get blocked on other drives that are monitored by PA File Sight within the same installation, including those monitored by Satellites.
IMPORTANT: The Blocked User List is a powerful tool. It can block a compromised account, but allow other normal users to continue working with the server without them knowing anything is wrong.
However, if an important user account, such as a service account used by a database for example, is blocked, it can cause problems for other software and other users. So it is important to do everything possible to reduce false positives.
One way you can reduce false positives is to test. There should be two Add to Blocked User List actions. One of them has the word "TESTING" added to the name. This action is completely safe - it will act just like the normal action, but it won't actually block the triggered user account. With this in place, you can test your monitors for a few days to make sure nothing triggers them that shouldn't. If you do get a false positive, you can probably fix it by changing an Ignore setting above.
So, go to all of the monitors you created above, and click the Actions button on each. Add the "Add to Blocked Users List - TESTING" action to the monitor.
Once a PA File Sight monitor has a Add to Blocked User List action attached to it (even the TEST version), it will show a warning to remind you that this monitor can block user access.
IMPORTANT: We highly recommend adding an Email action to any monitor that has an Add to Blocked User List action so IT is aware when any account is added to the list. The monitor will warn you if there isn't an email action attached.