<< Click to Display Table of Contents >> Navigation: Peer Global File Service Help > Preferences > MED Configuration |
Peer's Malicious Event Detection (MED) real-time engine can spot unwanted activity being executed on storage platforms by ransomware, viruses, malware, hackers, or rogue users. MED technology provides alerting capabilities, as well as the ability to minimize the amount of encrypted or deleted content from being replicated to remote locations. Once MED is enabled and jobs are restarted, these capabilities apply to all jobs. For more information, see our knowledge base article Introduction to Peer MED.
Peer MED deploys three different mechanisms for spotting malicious activity, each of which can be enabled and tuned independently. These settings are configured on a global level.
To modify MED settings:
1.Select Open Preferences from the Tools menu.
2.Select MED Configuration in the navigation tree.
3.Select the Enable Default Settings or click Show Advanced Settings.
If you selected Show Advanced Settings, the following is displayed.
4.Modify the options as needed:
•Trap Folders Advanced Options
5.Click Apply and Close or Apply.
The main options are as follows:
Option |
Description |
---|---|
Enable Default Settings |
Enables/disables Peer MED using default settings. By default, all three MED mechanisms are enabled. |
Show/Hide Advanced Settings |
Shows/hides options for each of the three MED mechanisms. |
Enable Malicious Event Detection (MED) |
The master on/off switch for MED. If unchecked, all MED mechanisms will be disabled. |
Restore Default Settings |
Restores all defaults across the three MED mechanisms. |
Bait files are files of common types, inserted into the file system in a way that hides them from users. Though hidden, these bait files are likely to be accessed by automated processes (like ransomware) or by mass deletions of entire folder structures. As soon as these files are touched, an action is triggered.
The options for bait files are:
Option |
Description |
---|---|
Enable Bait Files |
Enables/disables bait file creation and monitoring. |
Add Bait Files to shares |
At the start of each job, creates bait files under the root of each participant's watch directory. To see the watch directory for a job, review Host Participants and Directories. |
Trigger Action |
Defines the action to take when MED detects malicious activity on a bait file. See Action Types for more details on available actions. |
These options
The options for pattern matching are:
Option |
Description |
---|---|
Enable Pattern Matching |
Enables/disables pattern matching creation and monitoring. |
Global Extensions Exclude |
|
Trigger Action |
Defines the action to take when MED detects malicious activity on a bait file. See Action Types for more details on available actions. |
For each MED mechanism, one of four actions can be configured when malicious activity is detected. These actions are:
Action |
Description |
---|---|
Alert Only |
Triggers an alert in Peer Management Center. If email alerts are configured for MED Alerts and enabled for a job, an email will also be sent. See Email Alerts in the Basic Concepts section for more information about email alerts. If SNMP traps are configured for MED Alerts and enabled for a job, an SNMP trap will also be sent. See SNMP Notifications in the Basic Concepts section for more information about SNMP notifications. |
Alert and Disable Host |
Triggers an alert while also removing the afflicted Agent from the job in which the malicious activity was detected. Once disabled, Agents will need to be manually re-enabled for collaboration to resume. See Re-enabling a Disabled Agent Within a Job for details. |
Alert and Stop Job |
Triggers an alert while also stopping the job where the malicious activity was detected. Jobs will need to be restarted in order for collaboration to resume. |
Alert, Disable Host and Stop Job |
Triggers an alert, removes the afflicted Agent from the job where the malicious activity was detected, and stops the job. This option is the most aggressive and will require administrators to re-enable Agents as well as restart jobs. See Re-enabling a Disabled Agent Within a Job for details. |
An example of an alert as displayed in Peer Management Center is as follows:
On Windows file servers, Peer MED can be configured to create hidden, recursive folders that attempt to trap or slowdown ransomware as it enumerates a folder structure. As with the bait files, these folders cannot be seen by users but will be accessible by automated processes. If bait files (above) are enabled, a bait file will be placed within each trap folder, and an action will be triggered as soon as these files are touched.
Options for trap folders are:
Option |
Description |
---|---|
Enable Trap Folders |
Enables/disables the creation and monitoring of trap folders. |
Add Trap Folders to shares |
At the start of each job, create trap folders under the root of each participant's configured watch directory. To see the watch directory for a job, review Host Participants and Directories. Note: Trap Folders will only be used with participants that are Windows file servers. As such, these settings will not apply to any other enterprise NAS device. |