|
We have network based user shares. We have file sight monitoring the base user share folder. We have File Sight configured to monitor the base share and it looks for 200 reads in less than 1 minute. We are getting alerts such as the example below (the IP info and such is not real, just a sample of the alert) Exceeded threshold: SAMPLEDOMAINNAME\BENDA read 1447 files under E:\USERS$\ in 0m 50s from 129.168.5.5. The alert threshold is 200 files in 1m 0s. Read files include: E:\USERS$\BENDA\Old Desktop Computer Backup\Downloads\SWOT ANALYSIS (1).xls So why would a user be able to read so many files on their "U" drive in under a minute? My first guess is they were doing a search for something inside their folder. My real question here: We want to be able to identify possible crypto type of file read/rename/deletions. But if a folder search/index would trigger the alert, what other method or configuration should we be using? Thank you! |
|
Hi DTIG, Thanks for the questions. Doing a search or just browsing the files using File Explorer the system is reading each file. This Read is getting the basic information such as name, size, last accessed dates, and owner info. The file may not have been fully opened into a application but it is being Read. You can adjust how PA File Sight handles these Reads by changing the "Minimum # of bytes read or written in order to get reported", this setting is in the File Activities setting in your monitor. File Sight - File Access Monitor You also mentioned that your using PA File Sight as a way to detect Cyptolocker type reads, have you read our blog posts on this subject? There are lots of great help and techniques to help you detect Cyptolocker attacks. "Cryptolocker / Ransomware" Thanks Please make sure to mark your questions accepted when you have your answer by clicking the gray check mark to the left of the answer. |
