MED Configuration

<< Click to Display Table of Contents >>

Navigation:  Peer Global File Service Help > Preferences >

MED Configuration



Peer's Malicious Event Detection (MED) real-time engine can spot unwanted activity being executed on storage platforms by ransomware, viruses, malware, hackers, or rogue users.  MED technology provides alerting capabilities, as well as the ability to minimize the amount of encrypted or deleted content from being replicated to remote locations.  Once MED is enabled and jobs are restarted, these capabilities apply to all jobs.  For more information, see our knowledge base article Introduction to Peer MED.

Peer MED deploys three different mechanisms for spotting malicious activity, each of which can be enabled and tuned independently.  These settings are configured on a global level.

To modify MED settings:

1.Select Open Preferences from the Tools menu.

2.Select MED Configuration in the navigation tree.

MED-Preferences-1

3.Select the Enable Default Settings or click Show Advanced Settings.

If you selected Show Advanced Settings, the following is displayed.

MED-Preferences-2

4.Modify the options as needed:

Primary MED Options

Bait File Advanced Options

Trap Folders Advanced Options

5.Click Apply and Close or Apply.

Primary MED Options

The main options are as follows:

Option

Description

Enable Default Settings

Enables/disables Peer MED using default settings.  By default, all three MED mechanisms are enabled.

Show/Hide Advanced Settings

Shows/hides options for each of the three MED mechanisms.

Enable Malicious Event Detection (MED)

The master on/off switch for MED.  If unchecked, all MED mechanisms will be disabled.

Restore Default Settings

Restores all defaults across the three MED mechanisms.

Bait File Advanced Options

Bait files are files of common types, inserted into the file system in a way that hides them from users.  Though hidden, these bait files are likely to be accessed by automated processes (like ransomware) or by mass deletions of entire folder structures.  As soon as these files are touched, an action is triggered.

The options for bait files are:

Option

Description

Enable Bait Files

Enables/disables bait file creation and monitoring.

Add Bait Files to shares

At the start of each job, creates bait files under the root of each participant's watch directory.  To see the watch directory for a job, review Host Participants and Directories.

Trigger Action

Defines the action to take when MED detects malicious activity on a bait file.  See Action Types for more details on available actions.

Pattern Matching Advanced Options

These options

The options for pattern matching are:

Option

Description

Enable Pattern Matching

Enables/disables pattern matching creation and monitoring.

Global Extensions Exclude

 

Trigger Action

Defines the action to take when MED detects malicious activity on a bait file.  See Action Types for more details on available actions.

Action Types

For each MED mechanism, one of four actions can be configured when malicious activity is detected.  These actions are:

Action

Description

Alert Only

Triggers an alert in Peer Management Center.

If email alerts are configured for MED Alerts and enabled for a job, an email will also be sent.  See Email Alerts in the Basic Concepts section for more information about email alerts.  

If SNMP traps are configured for MED Alerts and enabled for a job, an SNMP trap will also be sent.  See SNMP Notifications in the Basic Concepts section for more information about SNMP notifications.

Alert and Disable Host

Triggers an alert while also removing the afflicted Agent from the job in which the malicious activity was detected.  Once disabled, Agents will need to be manually re-enabled for collaboration to resume.  See Re-enabling a Disabled Agent Within a Job for details.

Alert and Stop Job

Triggers an alert while also stopping the job where the malicious activity was detected.  Jobs will need to be restarted in order for collaboration to resume.

Alert, Disable Host and Stop Job

Triggers an alert, removes the afflicted Agent from the job where the malicious activity was detected, and stops the job.  This option is the most aggressive and will require administrators to re-enable Agents as well as restart jobs.  See Re-enabling a Disabled Agent Within a Job for details.

An example of an alert as displayed in Peer Management Center is as follows:

MED-Preferences-3

Trap Folders Advanced Options

On Windows file servers, Peer MED can be configured to create hidden, recursive folders that attempt to trap or slowdown ransomware as it enumerates a folder structure.  As with the bait files, these folders cannot be seen by users but will be accessible by automated processes.  If bait files (above) are enabled, a bait file will be placed within each trap folder, and an action will be triggered as soon as these files are touched.

Options for trap folders are:

Option

Description

Enable Trap Folders

Enables/disables the creation and monitoring of trap folders.

Add Trap Folders to shares

At the start of each job, create trap folders under the root of each participant's configured watch directory.  To see the watch directory for a job, review Host Participants and Directories.

Note:  Trap Folders will only be used with participants that are Windows file servers.  As such, these settings will not apply to any other enterprise NAS device.