Capture Client - Rollback function

Pre-requisites for Rollback  

• Rollback is only supported on Microsoft Windows endpoints. 
• The endpoint should be licensed for Capture Client Advanced. 
• All behavioral engines should be enabled as part of the Threat Protection Policy 
• Ensure that “Snapshots” are enabled as part of the Threat Protection Policy  

Policies -> Threat Protection -> Advanced settings -> Agent Configuration 

• If VSS has been explicitly disabled by the administrator on endpoints, please refer to this KB on how to re-enable.  

Performing a Rollback for Ransomware Recovery 

For every threat, there are multiple possible mitigation actions – Kill, Quarantine, Remediate, Rollback - that can be performed from the ‘THREAT DETAILS’ page on Capture Client Management Console. The Remediate and Rollback options are only available if the threat was detected by a behavioral engine.  

• On identification of a ransomware attack on an endpoint, immediately disable snapshot creation via the policy to prevent good snapshots from being overwritten.
• Review the threat(s) detected in the console and identify what mitigation actions have been taken by the agent automatically (based on the applied policy) 

• Click on the Remediate button to delete all files and system changes created by threats – this helps to remove all traces of the threat and identify the suitable snapshot to restore the endpoint. If you select Remediate, Kill and Quarantine run also, if they were not completed already. 

• Once the Remediate action is completed successfully, click on the Rollback button to perform a rollback to the last available good snapshot prior to the entry of the threat on the endpoint.  

NOTE: If ‘Rollback’ is forced without ‘Remediate’, it can restore files created by the threat.