-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
Capture Client - Rollback function
05/05/2021 
15 People found this article helpful
473,495 Views
Description
Even if a threat has been re-mediated, you cannot be sure that there are no remnants that may impact performance (for example, registry keys, temp files, system changes, and so forth).
Resolution
The purpose of this article is to guide SOC teams to effectively Rollback endpoints in case of a ransomware attack using Capture Client
What is Rollback?
Rollback function available with Capture Client restores the endpoint to the last available snapshot, undoing the changes made by the threat. Snapshots are created using Microsoft Windows Virtual Shadowcopy Services (VSS). This option is the most effective response for ransomware mitigation and disaster recovery.
Pre-requisites for Rollback
- Rollback is only supported on Microsoft Windows endpoints.
- The endpoint should be licensed for Capture Client Advanced.
- All behavioral engines should be enabled as part of the Threat Protection Policy
- Ensure that “Snapshots” are enabled as part of the Threat Protection Policy
Policies -> Threat Protection -> Advanced settings -> Agent Configuration
- If VSS has been explicitly disabled by the administrator on endpoints, please refer to this KB on how to re-enable.
Performing a Rollback for Ransomware Recovery
For every threat, there are multiple possible mitigation actions – Kill, Quarantine, Remediate, Rollback - that can be performed from the ‘THREAT DETAILS’ page on Capture Client Management Console. The Remediate and Rollback options are only available if the threat was detected by a behavioral engine.
- On identification of a ransomware attack on an endpoint, immediately disable snapshot creation via the policy to prevent good snapshots from being overwritten.
- Review the threat(s) detected in the console and identify what mitigation actions have been taken by the agent automatically (based on the applied policy)
- Click on the Remediate button to delete all files and system changes created by threats – this helps to remove all traces of the threat and identify the suitable snapshot to restore the endpoint. If you select Remediate, Kill and Quarantine run also, if they were not completed already.
- Once the Remediate action is completed successfully, click on the Rollback button to perform a rollback to the last available good snapshot prior to the entry of the threat on the endpoint.
NOTE: If ‘Rollback’ is forced without ‘Remediate’, it can restore files created by the threat.
Related Articles
- How to Decommission and Remove Devices in Capture Client Console
- SonicWall Capture Client and Jamf Pro
- Capture Client – Pre-requisites for Windows
YES
NO