Transcript
detects ransomware activity on an SMB network share and automatically blocks the compromised endpoint. Before running the simulation, we'll first make sure the protection policy is enabled. Open the Athena EPP Manager console and go to the anti-ransomware configuration page. Under ransomware protection, enable SMB-based remote ransomware protection. With the policy in place, let's move to the demo environment. In this setup, one endpoint is acting as a compromised machine. It has access to the SMB server and will be used to run a ransomware script against the network share. Here, we are logged into the SMB server, shown on the left, while the SMB share being accessed from the compromised endpoint is shown on the right. This confirms that the endpoint currently has normal access to the shared folder. Now, we'll simulate the ransomware attack. On the endpoint, the script attempts to encrypt files on the SMB network share. As soon as suspicious encryption activity is detected, the Athena EPP agent responds automatically. An alert appears on the SMB server and the endpoint is immediately blocked from accessing the share. At this point, the attack has been stopped and the affected SMB access has been cut off. Next, let's see how this incident appears from the administrator's view. Return to the Athena EPP Manager console. On the malware page, click suspicious activities to view the alerts generated by the platform. Open the relevant alert to review the detected behavior, affected asset, and recommended remediation steps. This gives administrators a centralized view of what happened and what action was taken. Now, let's check the local protection logs on the SMB server. Open the Athena EPP agent on the server. From the home page, click logs, go to real-time protection, and filter the logs by ransomware protection and ransomware activity. Here, we can confirm that the suspicious remote file activity was detected and blocked by the agent. After the incident has been reviewed, administrators can decide whether to restore access for the blocked endpoint. To do this, go to settings, ransomware protection, restore encrypted files, then select blocked IPs. This page shows the SMB connections that were blocked by the agent. Before restoring access, let's verify that the block is still active. Switch back to the endpoint and try to access the SMB server again. As expected, the SMB share is still unavailable. Now, return to the server and remove the IP block. Once the block is lifted, we'll test the connection again from the endpoint. The SMB share can now be accessed successfully. This completes the demonstration of Sanford Athena EPP's SMB anti-ransomware protection, including detection, automatic blocking, alert review, and access restoration. Thank you for watching.