Hi Luca! There are two components that are targetting ransomware in the Defender ecosystem. First is the FlashCore Module, which is specific to the hardware in place. It has a basic capability as it is processing data as it is written to the storage. This monitors for specific markers such as entropy and encryption in real time, mainly looking at the metadata of the files being written. Going deeper, within Defender, there is the Copy Data Manager software that can manage the snapshot process of your data, create SafeGuarded Copys, and then using it's built in "Security Scan", will mount up the snapshot and perform a complete scan of the content itself, not just the metadata, looking for signs of corruption due to ransomware. This method offers 99.99% accuracy almost completely eliminating fales positives and negatives. Once a scan is complete, the SafeGuarded Copy is stamped as clean and is usable to recover in the event of a ransomware attack.
------------------------------
Joseph Hand
------------------------------
Original Message:
Sent: Sat June 22, 2024 10:06 AM
From: Luca Ortolan
Subject: Storage Defender
Hi everyone, I've just watched a couple of webinars but I still have some doubts about the main features of the product. Firsly I don't understand where the ransom detection happens... does Defender analyse the vmdk (at storage level) or the vm writes (hypervisor level), and hoe can detect ransom? Does it use an encryption detection algorithm? Thank you everyone!
------------------------------
Luca Ortolan
------------------------------