We have network based user shares. We have file sight monitoring the base user share folder. We have File Sight configured to monitor the base share and it looks for 200 reads in less than 1 minute. We are getting alerts such as the example below (the IP info and such is not real, just a sample of the alert)

Exceeded threshold: SAMPLEDOMAINNAME\​BENDA read 1447 files under E:\​USERS$\​ in 0m 50s from 129.168.5.5. The alert threshold is 200 files in 1m 0s. Read files include: E:\​USERS$\​BENDA\​Old Desktop Computer Backup\​Downloads\​SWOT ANALYSIS (1).xls


So why would a user be able to read so many files on their "U" drive in under a minute? My first guess is they were doing a search for something inside their folder. My real question here: We want to be able to identify possible crypto type of file read/rename/deletions. But if a folder search/index would trigger the alert, what other method or configuration should we be using? Thank you!

asked 19 Jul, 16:45

DTIG's gravatar image

DTIG
11
accept rate: 0%

edited 19 Jul, 16:59


Hi DTIG,

Thanks for the questions. Doing a search or just browsing the files using File Explorer the system is reading each file. This Read is getting the basic information such as name, size, last accessed dates, and owner info. The file may not have been fully opened into a application but it is being Read. You can adjust how PA File Sight handles these Reads by changing the "Minimum # of bytes read or written in order to get reported", this setting is in the File Activities setting in your monitor. File Sight - File Access Monitor

You also mentioned that your using PA File Sight as a way to detect Cyptolocker type reads, have you read our blog posts on this subject? There are lots of great help and techniques to help you detect Cyptolocker attacks. "Cryptolocker / Ransomware"

Thanks
Quinn

Please make sure to mark your questions accepted when you have your answer by clicking the gray check mark to the left of the answer.

link

answered 20 Jul, 09:11

Quinn's gravatar image

Quinn ♦♦
13.7k3925
accept rate: 39%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×65
×16
×6

Asked: 19 Jul, 16:45

Seen: 270 times

Last updated: 20 Jul, 09:11