MDR for Windows Defender Ransomware Detection Policy

Example of Ransomware Detection and Rollback in action

• We have created this video to demonstrate the Ransomware Policy with Rollback and File Recovery in action.

Creating The Ransomware Policies

• Please see Creating A Custom Ransomware Policy for documentation on creating a policy.

Important Information about the Ransomware Policy

• Ransomware Detection - The detection engine looks for the existence of crypto-ransomware on endpoints by using behavioral analysis of files.
• Host Isolation - If Ransomware behavior is suspected, the agent will automatically isolate the endpoint from all network connections except to the EDR Portal to attempt to mitigate the attack.
• Attempt to kill suspected ransomware process - The agent will attempt to terminate the processes associated with the attack, reducing the overall impact of the attack.
• Shut Down Host - The EDR agent can automatically attempt to shut down the host in a ransomware event. If Isolate host or Attempt to kill suspected ransomware process options are also enabled, the agent will attempt to complete those steps first. If the Host Isolation is successful, the agent will not execute the shut down response.  
• Enable Rollback and File Recovery - Deploys the rollback agent and Rollback Driver Desktop application to all endpoints monitored by your ransomware policy.
• Ransomware Rollback currently supports Windows 10 and 11 operating systems.
• Ransomware Rollback on database, domain controller, Exchange, Active Directory servers or any endpoints running applications that will introduce heavy disk I/O activity. 
• Ransomware Rollback will not track changes on virtual disk images, including Hyper-v, VirtualBox, and Windows hard disk image files including AVHDX, AVHD, VHD, VHDX, and VDI.
• By default, Ransomware Rollback tracks changes to your operating system volume only. If you enable this option, the rollback agent will track changes to all internally-mounted disks on the endpoint.
• Exclude standard Windows folders - Excludes the following folders from tracking (cannot currently be disabled).
  • %SYSTEMDRIVE%\Windows
  • %SYSTEMDRIVE%\Program Files
  • %SYSTEMDRIVE%\Program Files (x86)
  • %SYSTEMDRIVE%\ProgramData
  • %SYSTEMDRIVE%\Users\*\AppData     (all AppData for all users on the system)
  • %SYSTEMDRIVE%\$WinREAgent     (Windows Update folder)
  • %SYSTEMDRIVE%\$.td     (Rollback agent data folder)
  • %SYSTEMDRIVE%\System Volume Information    (hidden folder used by Windows kernel)
• Maximum tracking history - Maximum history is a 7 day window. This time can be reduced to your needs.
• Cache size - Default cache relative size is 5% of disk size. If the cache size limit is met in less time than the cache time window, the agent will begin to purge the oldest files from history.
  • Minimum Absolute cache size is 1G.