Release Notes 1.9.0 Ransomware

Eyeglass Isilon Edition R1.9 Ransomware Defender Release Notes 

What’s New in Superna Eyeglass Isilon Edition Release 1.9

What’s New! In Superna Eyeglass Isilon Edition Release 1.9 can be found here.

Supported OneFS releases





Inter Release Functional Compatibility

OneFS 7.2

OneFS 8.0

OneFS 7.2 - OneFS 8.0

Threat Detection




Security Guard




End of Life Notifications


End of Life Date

None at this time

Known Issues

Threat Detection

T4151 Action Window Event Action History does not show Unreachable Cluster

In the event that a Cluster is unreachable during a Lockout operation, the Active Event state will correctly show ERROR and the Event Action History will show “Partially Locked out” but does not display the cluster that was unreachable or the shares that could not be locked out.

Workaround: Manually inspect the clusters that were locked out.  Any missing cluster under management need to review the shares and determine which the affected user has access to and then manually block access.


T3732 Restored permission may be incorrect for consecutive lockouts

In the event that user share access has been locked and subsequently restored and another lockout occurs before Eyeglass inventory has run, the “restore” permissions associated with shares may be the lockout settings from the previous lockout.

Workaround: Permissions should be restored manually by removing the deny permission for the affected user.  Use the Event Action History to determine the affected shares.


T4076, T4153  Time skew between browser client and Eyeglass appliance may result in unexpected value in the Active Events “Expires” column  

The “Expires” time on the Ransomware Defender Active Events list related to Warning event Expiry time or Major Event Delayed Lockout Grace Period is calculated based on timestamp on the Eyeglass appliance and time on the browser client.  If there is a time skew between the Eyeglass appliance and the browser client this calculation may result in an unexpected value in the Expires column.  For example: -1.

Workaround: None Required.  This is a display issue only.  The Eyeglass appliance has the correct time at which to take action.

If possible synchronizing time between browser client and Eyeglass appliance will workaround this issue.


T4125 Enabling Monitor Mode does not block lockout for Users with an Active Event

If there is an Active Event at the time when Monitor Mode is enabled, if you Restore Access and another Signal is received before the Event can be archived the User will be locked out again even though Monitor Mode is enabled.

Users without an Active Event are unaffected.  The lockout for a Signal that comes in after the Monitor Mode was enabled is skipped as expected.

Workaround: Add the affected User to the Ignored List to prevent subsequent lockout after Monitor Mode enabled.


T4081 Time Zone Mismatch between Ransomware Defender Security Guard Job History and Event History dates

The Ransomware Defender Job History “Run Date” is based on the Eyeglass appliance time zone whereas the Event History “Detected” date is translated to the client browser locale.

Workaround: Translate date for 1 of the dates to the time zone of the other date to correlate Security Guard Jobs to events in the Event History.


T4000 Security Event that is promoted from Warning to Major uses the Warning Expiry setting for Major Grace Period

For the case where a Security Event is promoted from Warning to Major, the timing for the Delayed Lockout uses the Warning Expiry setting instead of using the Grace Period configure for a Major event in the Settings tab of the Ransomware Defender window.

Workaround: Set the Warning Expiry and Major Grace Period to the same value.


T4269 Changes to Ignore List or Licensed Clusters may not be updated on ECA

An update to the Ignore List on the Eyeglass Ransomware Defender Ignored List tab or a change in the Clusters licensed for Ransomware may not be updated on the ECA in which case they do not take effect

Workaround:  After making a change to the Ignored List or changing the Clusters licensed for Ransomware always take the following steps to ensure that the changes take effect:

  1. Wait 1 minute after making Ignored List change or Cluster license change for the change to be copied down to the ECA cluster.

  2. ssh to the master node (node 1) and login as admin user.

  3. ecactl containers restart ceefilter

  4. Repeat steps 2 and 3 on remaining ECA nodes 2 and 3


Security Guard

T4197 Security Guard Error for Unlicensed Cluster

Security Guard fails when Isilon Cluster selected to run is not licensed.

Since Ransomware Defender dynamically picks priority Isilon Clusters to license (refer to Eyeglass Ransomware Defender Admin Guide for details on selection of licensed cluster) for the case where Eyeglass is managing more clusters than there are Ransomware Defender Agent Licenses, one cannot be sure the selected Cluster in Security Guard is actually licensed at the run time.

Workaround: Deploy same number of Ransomware Defender Agent Licenses as the number of Isilon Clusters being managed by Eyeglass.


T4181, T4228  Security Guard Temporary Errors

Security Guard may occasionally error with 0 files written or remain in the TO_LOCKOUT state.   

Workaround: None required.  This condition clears it self on the next Security Guard run. It does not affect workflow for a real security event.


Manage Services

T4192 Manage Services status not accurate after ECA Node Down

After an ECA node has been powered off / gone down and subsequently powered back on and rejoined to the ECA cluster it continues to display the Inactive state in the Eyeglass Manage Services window even when it is active again and healthy.

Workaround:  Once the node is back up, remove it from the Manage Services window by selecting the X in the node’s row.  Wait 1 to 2 minutes and the service should be rediscovered with the correct state.


T3724 Manage Services state may not be accurate when connection to Isilon Cluster HDFS is down

If there is a connectivity issue between the Eyeglass ECA and the Isilon cluster HDFS the Manage Services state is inconsistent and may display state as OK, WARN or ERROR.

Workaround:  None available.  Once the connection is restored, the database service must be brought up again and then the state will correctly state OK.


T4268 Wrong alarm issued for ECA component or node failure

When an ECA component or node is down, an Informational Alarm is raised with incorrect description “Ransomware: ECA node version does not match the Eyeglass version”.

Workaround:  Login to the Eyeglass web page and open the Manage Services window to review status of each component on each ECA node.  Information regarding the ECA High Availability strategy can be found here:

A complete ECA failure will be detected by the Security Guard job scheduled task.



T4230 Blank Ransomware Defender Window

After archiving an Event the Ransomware Defender window tabs may appear empty.   

Workaround: Close and reopen the Ransomware Defender window.


T4183  Refresh does not work for Ransomware Defender multi-page lists

Ransomware Defender window with multiple pages is not updated by Refresh except for the first page.   

Workaround: To update the list go back to the first page of the list.