Capture Client - Rollback function
05/05/2021 15 People found this article helpful 473,207 Views
Description
Even if a threat has been re-mediated, you cannot be sure that there are no remnants that may impact performance (for example, registry keys, temp files, system changes, and so forth).
Resolution
The purpose of this article is to guide SOC teams to effectively Rollback endpoints in case of a ransomware attack using Capture Client
Rollback function available with Capture Client restores the endpoint to the last available snapshot, undoing the changes made by the threat. Snapshots are created using Microsoft Windows Virtual Shadowcopy Services (VSS). This option is the most effective response for ransomware mitigation and disaster recovery.
Pre-requisites for Rollback
- Rollback is only supported on Microsoft Windows endpoints.
- The endpoint should be licensed for Capture Client Advanced.
- All behavioral engines should be enabled as part of the Threat Protection Policy
- Ensure that “Snapshots” are enabled as part of the Threat Protection Policy
Policies -> Threat Protection -> Advanced settings -> Agent Configuration
- If VSS has been explicitly disabled by the administrator on endpoints, please refer to this KB on how to re-enable.
Performing a Rollback for Ransomware Recovery
For every threat, there are multiple possible mitigation actions – Kill, Quarantine, Remediate, Rollback - that can be performed from the ‘THREAT DETAILS’ page on Capture Client Management Console. The Remediate and Rollback options are only available if the threat was detected by a behavioral engine.
- On identification of a ransomware attack on an endpoint, immediately disable snapshot creation via the policy to prevent good snapshots from being overwritten.
- Review the threat(s) detected in the console and identify what mitigation actions have been taken by the agent automatically (based on the applied policy)
- Click on the Remediate button to delete all files and system changes created by threats – this helps to remove all traces of the threat and identify the suitable snapshot to restore the endpoint. If you select Remediate, Kill and Quarantine run also, if they were not completed already.
- Once the Remediate action is completed successfully, click on the Rollback button to perform a rollback to the last available good snapshot prior to the entry of the threat on the endpoint.
NOTE: If ‘Rollback’ is forced without ‘Remediate’, it can restore files created by the threat.
Related Articles
Categories
Was This Article Helpful?
YESNO