Back to Setup Guide for Ransomware Protection

Automaticallty Block Ransomware Infected Users From the Server

An important approach to protecting a server from ransomware is to automatically stop the compromised user account from harming any more files. This can be done with the Add to Blocked User List action. You can find more information here:

https://www.poweradmin.com/help/latestfshelp.aspx?page=action-add-to-blocked-users-list.aspx

If you add this action to the above monitors, then as soon as the monitor fires actions, the user account that triggered the action will get added to the Blocked User List, and all attempts they make to create, read, write or delete files on the server will be blocked. The account will also get blocked on other drives that are monitored by PA File Sight within the same installation, including those monitored by Satellites.

IMPORTANT: The Blocked User List is a powerful tool. It can block a compromised account, but allow other normal users to continue working with the server without them knowing anything is wrong.

However, if an important user account, such as a service account used by a database for example, is blocked, it can cause problems for other software and other users. So it is important to do everything possible to reduce false positives.

One way you can reduce false positives is to test. There should be two Add to Blocked User List actions. One of them has the word "TESTING" added to the name. This action is completely safe - it will act just like the normal action, but it won't actually block the triggered user account. With this in place, you can test your monitors for a few days to make sure nothing triggers them that shouldn't. If you do get a false positive, you can probably fix it by changing an Ignore setting above.

So, go to all of the monitors you created above, and click the Actions button on each. Add the "Add to Blocked Users List - TESTING" action to the monitor.

Testing PA File Sight's Blocked User action

Once a PA File Sight monitor has a Add to Blocked User List action attached to it (even the TEST version), it will show a warning to remind you that this monitor can block user access.

Reminder that users can be blocked from the server

IMPORTANT: We highly recommend adding an Email action to any monitor that has an Add to Blocked User List action so IT is aware when any account is added to the list. The monitor will warn you if there isn't an email action attached.

Next: Protection Responses - Shutdown the Server

 
Power Admin LLC Power Admin LLC Power Admin Social Network Channels
site search

Download Trial
Buy Now


I want to thank you for an excellent product... We couldn't be happier with [PA Server Monitor].
Ryan R., Top Gun Sales Performance, USA more customer quotes...
see customer list...