- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Capture Client - Rollback function
05/05/2021 
3 People found this article helpful
83,401 Views
Description
Even if a threat has been re-mediated, you cannot be sure that there are no remnants that may impact performance (for example, registry keys, temp files, system changes, and so forth).
Resolution
The purpose of this article is to guide SOC teams to effectively Rollback endpoints in case of a ransomware attack using Capture Client
What is Rollback?
Rollback function available with Capture Client restores the endpoint to the last available snapshot, undoing the changes made by the threat. Snapshots are created using Microsoft Windows Virtual Shadowcopy Services (VSS). This option is the most effective response for ransomware mitigation and disaster recovery.
Pre-requisites for Rollback
- Rollback is only supported on Microsoft Windows endpoints.
- The endpoint should be licensed for Capture Client Advanced.
- All behavioral engines should be enabled as part of the Threat Protection Policy
- Ensure that “Snapshots” are enabled as part of the Threat Protection Policy
Policies -> Threat Protection -> Advanced settings -> Agent Configuration
- If VSS has been explicitly disabled by the administrator on endpoints, please refer to this KB on how to re-enable.
Performing a Rollback for Ransomware Recovery
For every threat, there are multiple possible mitigation actions – Kill, Quarantine, Remediate, Rollback - that can be performed from the ‘THREAT DETAILS’ page on Capture Client Management Console. The Remediate and Rollback options are only available if the threat was detected by a behavioral engine.
- On identification of a ransomware attack on an endpoint, immediately disable snapshot creation via the policy to prevent good snapshots from being overwritten.
- Review the threat(s) detected in the console and identify what mitigation actions have been taken by the agent automatically (based on the applied policy)
- Click on the Remediate button to delete all files and system changes created by threats – this helps to remove all traces of the threat and identify the suitable snapshot to restore the endpoint. If you select Remediate, Kill and Quarantine run also, if they were not completed already.
- Once the Remediate action is completed successfully, click on the Rollback button to perform a rollback to the last available good snapshot prior to the entry of the threat on the endpoint.
NOTE: If ‘Rollback’ is forced without ‘Remediate’, it can restore files created by the threat.
Related Articles
- How to upgrade a Single Endpoint Manually from the Capture Client Console.
- Capture client Mac installation - S1 not enforcing security
- Uninstalling SentinelOne MAC Agent through Recovery Mode
YES
NO