Release Notes 1.9.2 Ransomware Defender


Eyeglass Isilon Edition R1.9.2 Ransomware Defender Release Notes 

Contents

  1. 1 What’s New in Superna Eyeglass Ransomware Defender Edition Release 1.9.2
  2. 2 Supported OneFS releases
  3. 3 Supported Eyeglass releases
  4. 4 Inter Release Functional Compatibility
  5. 5 End of Life Notifications
  6. 6 Issues Fixed in this Release
    1. 6.1 Security Guard
      1. 6.1.1 T4181  Security Guard Temporary Errors
    2. 6.2 Manage Services
      1. 6.2.1 T4268 Wrong alarm issued for ECA component or node failure
  7. 7 Known Issues
    1. 7.1 Threat Detection
      1. 7.1.1 T4151 Action Window Event Action History does not show Unreachable Cluster
      2. 7.1.2 T3732 Restored permission may be incorrect for consecutive lockouts
      3. 7.1.3 T4076, T4153  Time skew between browser client and Eyeglass appliance may result in unexpected value in the Active Events “Expires” column  
      4. 7.1.4 T4125 Enabling Monitor Mode does not block lockout for Users with an Active Event
      5. 7.1.5 T4081 Time Zone Mismatch between Ransomware Defender Security Guard Job History and Event History dates
      6. 7.1.6 T4000 Security Event that is promoted from Warning to Major uses the Warning Expiry setting for Major Grace Period
      7. 7.1.7 T4264 File Browser shows too many files
      8. 7.1.8 T4337 Modifying Ransomware Defender Settings or Running the lock root command removes lock root settings
      9. 7.1.9 T4670, T4676  Issues with Ransomware Defender Email Notification
      10. 7.1.10 T4675  Major Delayed Lockout Grace Period Reset with each new Signal
    2. 7.2 Security Guard
      1. 7.2.1 T4197 Security Guard Error for Unlicensed Cluster
      2. 7.2.2 T4228  Security Guard Temporary Errors
    3. 7.3 Manage Services
      1. 7.3.1 T4192 Manage Services status not accurate after ECA Node Down
      2. 7.3.2 T3724 Manage Services state may not be accurate when connection to Isilon Cluster HDFS is down
    4. 7.4 General
      1. 7.4.1 T4230 Blank Ransomware Defender Window
      2. 7.4.2 T4183  Refresh does not work for Ransomware Defender multi-page lists
      3. 7.4.3 T4336  Eyeglass Restore does not restore Security Guard Job History
      4. 7.4.4 T4549  Ransomware Defender Settings Submit button enabled when no changes made



What’s New in Superna Eyeglass Ransomware Defender Edition Release 1.9.2

What’s New! In Superna Eyeglass Ransomware Defender Edition Release 1.9.2 can be found here.


Supported OneFS releases

7.2.x.x

7.2.1.x

8.0.0.x

8.0.1.x


Supported Eyeglass releases

Superna Eyeglasss Ransomware Defender Version


Superna Eyeglass Version


1.9.2-17114

1.9.2-17114

1.9-17081

1.9.1-17093

1.9-17090



Inter Release Functional Compatibility


OneFS 7.2

OneFS 8.0

OneFS 7.2 - OneFS 8.0

Threat Detection

Yes

Yes

Yes

Security Guard

Yes

Yes

Yes





End of Life Notifications


Description

End of Life Date

None at this time



Issues Fixed in this Release

Security Guard



T4181  Security Guard Temporary Errors

Security Guard may occasionally remain in the TO_LOCKOUT state.   

Resolution: This condition no longer occurs.

—————————————————–


Manage Services


T4268 Wrong alarm issued for ECA component or node failure

When an ECA component or node is down, an Informational Alarm is raised with incorrect description “Ransomware: ECA node version does not match the Eyeglass version”.

Resolution:  Now when an ECA component or node is down, a Major Alarm is raised with description “ECA node inactive or in error state”.

—————————————————–

Known Issues

Threat Detection


T4151 Action Window Event Action History does not show Unreachable Cluster

In the event that a Cluster is unreachable during a Lockout operation, the Active Event state will correctly show ERROR and the Event Action History will show “Partially Locked out” but does not display the cluster that was unreachable or the shares that could not be locked out.

Workaround: Manually inspect the clusters that were locked out.  Any missing cluster under management need to review the shares and determine which the affected user has access to and then manually block access.

—————————————————–

T3732 Restored permission may be incorrect for consecutive lockouts

In the event that user share access has been locked and subsequently restored and another lockout occurs before Eyeglass inventory has run, the “restore” permissions associated with shares may be the lockout settings from the previous lockout.

Workaround: Permissions should be restored manually by removing the deny permission for the affected user.  Use the Event Action History to determine the affected shares.

—————————————————–

T4076, T4153  Time skew between browser client and Eyeglass appliance may result in unexpected value in the Active Events “Expires” column  

The “Expires” time on the Ransomware Defender Active Events list related to Warning event Expiry time or Major Event Delayed Lockout Grace Period is calculated based on timestamp on the Eyeglass appliance and time on the browser client.  If there is a time skew between the Eyeglass appliance and the browser client this calculation may result in an unexpected value in the Expires column.  For example: -1.

Workaround: None Required.  This is a display issue only.  The Eyeglass appliance has the correct time at which to take action.

If possible synchronizing time between browser client and Eyeglass appliance will workaround this issue.

—————————————————–

T4125 Enabling Monitor Mode does not block lockout for Users with an Active Event

If there is an Active Event at the time when Monitor Mode is enabled, if you Restore Access and another Signal is received before the Event can be archived the User will be locked out again even though Monitor Mode is enabled.

Users without an Active Event are unaffected.  The lockout for a Signal that comes in after the Monitor Mode was enabled is skipped as expected.

Workaround: Add the affected User to the Ignored List to prevent subsequent lockout after Monitor Mode enabled.

—————————————————–

T4081 Time Zone Mismatch between Ransomware Defender Security Guard Job History and Event History dates

The Ransomware Defender Job History “Run Date” is based on the Eyeglass appliance time zone whereas the Event History “Detected” date is translated to the client browser locale.

Workaround: Translate date for 1 of the dates to the time zone of the other date to correlate Security Guard Jobs to events in the Event History.

—————————————————–

T4000 Security Event that is promoted from Warning to Major uses the Warning Expiry setting for Major Grace Period

For the case where a Security Event is promoted from Warning to Major, the timing for the Delayed Lockout uses the Warning Expiry setting instead of using the Grace Period configure for a Major event in the Settings tab of the Ransomware Defender window.

Workaround: Set the Warning Expiry and Major Grace Period to the same value.

—————————————————–

T4264 File Browser shows too many files

When browsing the files for a Security Event, the All Files list is the list of files touched 1 hour prior to event to the current time when browsing files instead of files touched 1 hour prior to event to time the event is archived.

Workaround: Use the Time Stamp in the All Files display to determine which files apply to the Security Event.

—————————————————–

T4337 Modifying Ransomware Defender Settings or Running the lock root command removes lock root settings

Lock root settings applied using command

igls admin lockroot --lock_root

.are lost each time a change is made to Ransomware Settings or running the igls admin lockroot command.  If lock root was enabled it becomes disabled.

Workaround: Each time a Ransomware Settings change is made, the lock root setting must be reapplied manually.  Please contact support.superna.net for assistance.

—————————————————–


T4670, T4676  Issues with Ransomware Defender Email Notification

Email notification is provided for the initial entry of an event for a user but subsequent events or if the severity of the event is upgraded no additional email notification is sent.

Workaround:

  1. When an event has been archived, open the Alarms window and clear the associated alarm.  Once cleared the next event will generate a new alarm.

  2. When an email is received, monitor the Eyeglass Ransomware Defender / Active Events window to track the progress of an event.

—————————————————–

T4675  Major Delayed Lockout Grace Period Reset with each new Signal

With the Major Severity threshold crossed, each new signal resets the Grace Period timer to start over resulting in lockout being deferred until period where no signals received once timer has started.  This may prevent lockout until such time as event has completed

Workaround: To ensure lockout, turn Critical mode on.

—————————————————–



Security Guard

T4197 Security Guard Error for Unlicensed Cluster

Security Guard fails when Isilon Cluster selected to run is not licensed.

Since Ransomware Defender dynamically picks priority Isilon Clusters to license (refer to Eyeglass Ransomware Defender Admin Guide for details on selection of licensed cluster) for the case where Eyeglass is managing more clusters than there are Ransomware Defender Agent Licenses, one cannot be sure the selected Cluster in Security Guard is actually licensed at the run time.

Workaround: Deploy same number of Ransomware Defender Agent Licenses as the number of Isilon Clusters being managed by Eyeglass.

—————————————————–

T4228  Security Guard Temporary Errors

Security Guard may occasionally error with 0 files written.   

Workaround: This condition typically clears it self on the next Security Guard run. It does not affect workflow for a real security event.

If it does not clear, follow these steps to recover:

  1. Archive as Unresolved

  2. Run Security Guard manually to ensure that it is operational again.

—————————————————–

Manage Services

T4192 Manage Services status not accurate after ECA Node Down

After an ECA node has been powered off / gone down and subsequently powered back on and rejoined to the ECA cluster it continues to display the Inactive state in the Eyeglass Manage Services window even when it is active again and healthy.

Workaround:  Once the node is back up, remove it from the Manage Services window by selecting the X in the node’s row.  Wait 1 to 2 minutes and the service should be rediscovered with the correct state.

—————————————————–

T3724 Manage Services state may not be accurate when connection to Isilon Cluster HDFS is down

If there is a connectivity issue between the Eyeglass ECA and the Isilon cluster HDFS the Manage Services state is inconsistent and may display state as OK, WARN or ERROR.

Workaround:  None available.  Once the connection is restored, the database service must be brought up again and then the state will correctly state OK.

—————————————————–



General

T4230 Blank Ransomware Defender Window

After archiving an Event the Ransomware Defender window tabs may appear empty.   

Workaround: Close and reopen the Ransomware Defender window.

—————————————————–

T4183  Refresh does not work for Ransomware Defender multi-page lists

Ransomware Defender window with multiple pages is not updated by Refresh except for the first page.   

Workaround: To update the list go back to the first page of the list.

—————————————————–

T4336  Eyeglass Restore does not restore Security Guard Job History

Security Guard historical log files are not restored when you restore configuration from backup.   

Workaround: None available.

—————————————————–

T4549  Ransomware Defender Settings Submit button enabled when no changes made

When the Ransomware Defender Settings window is opened the Submit button is enabled even though no changes have been made to any settings. If you navigate to another view and come back to Settings, the Submit button is then correctly disabled until a change is made on the page.  

Workaround: None required.

—————————————————–