Even if a threat has been re-mediated, you cannot be sure that there are no remnants that may impact performance (for example, registry keys, temp files, system changes, and so forth).
The purpose of this article is toguide SOC teamsto effectively Rollback endpoints in case of a ransomware attack using CaptureClient
What is Rollback?
Rollbackfunctionavailable with Capture Client restores the endpoint tothe last availablesnapshot, undoing the changes made by thethreat.Snapshotsarecreated using Microsoft Windows VirtualShadowcopyServices (VSS).This option isthe most effective responsefor ransomware mitigation and disaster recovery.
Pre-requisites for Rollback
Rollback is only supported on Microsoft Windows endpoints.
The endpoint should be licensed for Capture Client Advanced.
All behavioral engines should be enabled as part of the Threat Protection Policy
Ensure that “Snapshots” are enabled as part of the Threat Protection Policy
If VSS has been explicitly disabled by the administrator on endpoints, please refer tothisKBon how tore-enable.
Performing a Rollbackfor Ransomware Recovery
For every threat, there are multiple possible mitigation actions – Kill, Quarantine, Remediate, Rollback-thatcan be performed from the ‘THREAT DETAILS’ page on Capture Client Management Console.TheRemediate andRollback optionsareonlyavailable if thethreat was detected by a behavioral engine.
On identification of aransomwareattack on an endpoint, immediately disable snapshot creation via the policy to prevent good snapshots from being overwritten.
Review the threat(s) detected in the console andidentify what mitigation actionshave been taken by the agent automatically (based on the applied policy)
Click on the Remediate button to delete all files and system changes created by threats – this helps to remove all traces of the threat and identify the suitable snapshot to restore the endpoint. If you select Remediate, Kill and Quarantine run also, if they were not completed already.
Once the Remediate action is completed successfully, click on the Rollback button to perform a rollback to the last available good snapshot prior to the entry of the threat on the endpoint.
NOTE:If ‘Rollback’ is forced without ‘Remediate’,itcan restore filescreated by the threat.