Peer's Malicious Event Detection (MED) real-time engine can spot unwanted activity being executed on storage platforms by ransomware, viruses, malware, hackers, or rogue users. MED technology provides alerting capabilities, as well as the ability to minimize the amount of encrypted or deleted content from being replicated to remote locations. Once MED is enabled and jobs are restarted, these capabilities apply to all jobs. For more information, see Introduction to Peer MED.
Peer MED deploys three different mechanisms for spotting malicious activity, each of which can be enabled and tuned independently. These settings are configured on a global level.
To view and modify these settings,
1.From the Window menu, select Preferences.
2.Select MED Configuration in the navigation tree.
The following page is displayed.
3.Select the Enable Default Settings or click Show Advanced Settings.
If you selected Show Advanced Settings, the following is displayed.
4.Modify the options as needed:
•Trap Folders Advanced Options
5.Click OK.
Primary MED Options
The main options are as follows:
Enable Default Settings |
Enables/disables Peer MED using default settings. By default, all three MED mechanisms are enabled. |
Show/Hide Advanced Settings |
Shows/hides options for each of the three MED mechanisms. |
Enable Malicious Event Detection (MED) |
The master on/off switch for MED. If unchecked, all MED mechanisms will be disabled. |
Restore Default Settings |
Restores all defaults across the three MED mechanisms. |
Bait File Advanced Options
Bait files are files of common types, inserted into the file system in a way that hides them from users. Though hidden, these bait files are likely to be accessed by automated processes (like ransomware) or by mass deletions of entire folder structures. As soon as these files are touched, an action is triggered.
The options for bait files are:
Enable Bait Files |
Enables/disables bait file creation and monitoring. |
Add Bait Files to shares |
At the start of each job, creates bait files under the root of each participant's configured watch directory. To see the watch directory for a job, review Host Participants and Directories. |
Trigger Action |
Defines the action to take when MED detects malicious activity on a bait file. See Action Types for more details on available actions. |
Action Types
For each MED mechanism, one of four actions can be configured on the detection of malicious activity. These actions are:
Alert Only |
Triggers an alert in the Peer Management Center. If SMTP email alerts are configured for MED Alerts and enabled for a job, an email will also be sent. For details on SMTP email alerts, see Global Email options. If SNMP traps are configured for MED Alerts and enabled for a job, an SNMP trap will also be sent. For more details on SNMP, see Global SNMP options. |
Alert and Disable Host |
Triggers an alert while also removing the afflicted Agent from the job in which the malicious activity was detected. Once disabled, Agents will need to be manually re-enabled for collaboration to resume. See Re-enabling a Disabled Agent Within a Job for details. |
Alert and Stop Job |
Triggers an alert while also stopping the job where the malicious activity was detected. Jobs will need to be restarted in order for collaboration to resume. |
Alert, Disable Host and Stop Job |
Triggers an alert, removes the afflicted Agent from the job where the malicious activity was detected, and stops the job. This option is the most aggressive and will require administrators to re-enable Agents as well as restart jobs. See Re-enabling a Disabled Agent Within a Job for details. |
An example of an alert as displayed in the Peer Management Center is as follows:
Trap Folders Advanced Options
On Windows file servers, Peer MED can be configured to create hidden, recursive folders that attempt to trap or slowdown ransomware as it enumerates a folder structure. As with the bait files, these folders cannot be seen by users but will be accessible by automated processes. If bait files (above) are enabled, a bait file will be placed within each trap folder, and an action will be triggered as soon as these files are touched.
Options for trap folders are:
Enable Trap Folders |
Enables/disables the creation and monitoring of trap folders. |
Add Trap Folders to shares |
At the start of each job, create trap folders under the root of each participant's configured watch directory. To see the watch directory for a job, review Host Participants and Directories. Note: Trap Folders will only be used with participants that are Windows file servers. As such, these settings will not apply to any other enterprise NAS device. |