Release notes Ransomware Defender only 1.9.6


Contents

  1. 1 What’s New in Superna Eyeglass Ransomware Defender Edition Release 1.9.6
  2. 2 Supported OneFS releases
  3. 3 Supported Eyeglass releases
  4. 4 Inter Release Functional Compatibility
  5. 5 End of Life Notifications
  6. 6 Known Issues
    1. 6.1 Threat Detection
      1. 6.1.1 T4151 Action Window Event Action History does not show Unreachable Cluster
      2. 6.1.2 T3732 Restored permission may be incorrect for consecutive lockouts
      3. 6.1.3 T4076, T4153  Time skew between browser client and Eyeglass appliance may result in unexpected value in the Active Events “Expires” column  
      4. 6.1.4 T4125 Enabling Monitor Mode does not block lockout for Users with an Active Event
      5. 6.1.5 T4081 Time Zone Mismatch between Ransomware Defender Security Guard Job History and Event History dates
      6. 6.1.6 T4264 File Browser shows too many files
      7. 6.1.7 T4337 Modifying Ransomware Defender Settings or Running the lock root command removes lock root settings
      8. 6.1.8 T4759 Event Action History uses wrong time zone
      9. 6.1.9 T4777 Snapshots not created for any Events that are Active when the Snapshot feature is enabled
      10. 6.1.10 T4819 Empty Event History List
      11. 6.1.11 T4945 Snapshot Delete Action may not log all deleted Snapshots
      12. 6.1.12 T4950 Alarm text for failed Snapshot delete references Snapshot create
      13. 6.1.13 T4955 Subsequent Create Snapshot action will delete reference to previously created snapshots if an error occurs during the create
      14. 6.1.14 T5024 Major Events may reappear in the Active Events list after being recovered
    2. 6.2 Security Guard
      1. 6.2.1 T4197 Security Guard Error for Unlicensed Cluster
      2. 6.2.2 T4228  Security Guard Temporary Errors
      3. 6.2.3 T4965  Security Guard User Authentication Fails
    3. 6.3 Manage Services
      1. 6.3.1 T4192 Manage Services status not accurate after ECA Node Down
      2. 6.3.2 T3724 Manage Services state may not be accurate when connection to Isilon Cluster HDFS is down
    4. 6.4 General
      1. 6.4.1 T4230 Blank Ransomware Defender Window
      2. 6.4.2 T4183  Refresh does not work for Ransomware Defender multi-page lists
      3. 6.4.3 T4336  Eyeglass Restore does not restore Security Guard Job History
      4. 6.4.4 T4549  Ransomware Defender Settings Submit button enabled when no changes made


What’s New in Superna Eyeglass Ransomware Defender Edition Release 1.9.6

What’s New! In Superna Eyeglass Ransomware Defender Edition Release 1.9.6 can be found here - see the 1.9.6 Enhancements & the Performance Enhancements under Ransomware Defender 1.9.6 Current.



Supported OneFS releases

7.2.x.x

7.2.1.x

8.0.0.x

8.0.1.x

8.1.x.x


Supported Eyeglass releases

Superna Eyeglass Ransomware Defender Version


Superna Eyeglass Version


1.9.6-17219

1.9.6-17219

1.9.4-17166

1.9.4-17166

1.9.3-17152

1.9.3-17152

1.9.2-17114

1.9.2-17114

1.9-17081

1.9.1-17093

1.9-17090



Inter Release Functional Compatibility


OneFS 7.2

OneFS 8.0

OneFS 7.2 -

OneFS 8.0

OneFS 8.0 -

OneFS 8.1

Threat Detection

Yes

Yes

Yes

Untested

Security Guard

Yes

Yes

Yes

Untested





End of Life Notifications


Description

End of Life Date

None at this time




Known Issues

Threat Detection


T4151 Action Window Event Action History does not show Unreachable Cluster

In the event that a Cluster is unreachable during a Lockout operation, the Active Event state will correctly show ERROR and the Event Action History will show “Partially Locked out” but does not display the cluster that was unreachable or the shares that could not be locked out.

Workaround: Manually inspect the clusters that were locked out.  Any missing cluster under management need to review the shares and determine which the affected user has access to and then manually block access.

—————————————————–

T3732 Restored permission may be incorrect for consecutive lockouts

In the event that user share access has been locked and subsequently restored and another lockout occurs before Eyeglass inventory has run, the “restore” permissions associated with shares may be the lockout settings from the previous lockout.

Workaround: Permissions should be restored manually by removing the deny permission for the affected user.  Use the Event Action History to determine the affected shares.

—————————————————–

T4076, T4153  Time skew between browser client and Eyeglass appliance may result in unexpected value in the Active Events “Expires” column  

The “Expires” time on the Ransomware Defender Active Events list related to Warning event Expiry time or Major Event Delayed Lockout Grace Period is calculated based on timestamp on the Eyeglass appliance and time on the browser client.  If there is a time skew between the Eyeglass appliance and the browser client this calculation may result in an unexpected value in the Expires column.  For example: -1.

Workaround: None Required.  This is a display issue only.  The Eyeglass appliance has the correct time at which to take action.

If possible synchronizing time between browser client and Eyeglass appliance will workaround this issue.

—————————————————–

T4125 Enabling Monitor Mode does not block lockout for Users with an Active Event

If there is an Active Event at the time when Monitor Mode is enabled, if you Restore Access and another Signal is received before the Event can be archived the User will be locked out again even though Monitor Mode is enabled.

Users without an Active Event are unaffected.  The lockout for a Signal that comes in after the Monitor Mode was enabled is skipped as expected.

Workaround: Add the affected User to the Ignored List to prevent subsequent lockout after Monitor Mode enabled.

—————————————————–

T4081 Time Zone Mismatch between Ransomware Defender Security Guard Job History and Event History dates

The Ransomware Defender Job History “Run Date” is based on the Eyeglass appliance time zone whereas the Event History “Detected” date is translated to the client browser locale.

Workaround: Translate date for 1 of the dates to the time zone of the other date to correlate Security Guard Jobs to events in the Event History.

—————————————————–

T4264 File Browser shows too many files

When browsing the files for a Security Event, the All Files list is the list of files touched 1 hour prior to event to the current time when browsing files instead of files touched 1 hour prior to event to time the event is archived.

Workaround: Use the Time Stamp in the All Files display to determine which files apply to the Security Event.

—————————————————–

T4337 Modifying Ransomware Defender Settings or Running the lock root command removes lock root settings

Lock root settings applied using command

igls admin lockroot --lock_root

.are lost each time a change is made to Ransomware Settings or running the igls admin lockroot command.  If lock root was enabled it becomes disabled.

Workaround: Each time a Ransomware Settings change is made, the lock root setting must be reapplied manually.  Please contact support.superna.net for assistance.

—————————————————–

T4759 Event Action History uses wrong time zone

The Active Events Detected time displays the date/time based on the client browser settings but the Event Action History uses a different timezone.

Workaround: Use the Detected time as the baseline and convert Active Events date time accordingly.

—————————————————–

T4777 Snapshots not created for any Events that are Active when the Snapshot feature is enabled

If there are any Active Events when the Create Snapshot option is enabled, no Snapshots will be created for these already Active Events.

Workaround: Enable the Create Snapshot option when there are no Active Events.  Events raised after the Create Snapshot option was enabled will have associated Snapshots created for affected shares.

—————————————————–

T4819 Empty Event History List

There may be conditions where having other windows open such as the Event Action History may result in the Event History list being displayed with no entries.

Workaround: Close all Ransomware Defender related windows and then re-open the Ransomware Defender -> Event History tab.

—————————————————–

T4945 Snapshot Delete Action may not log all deleted Snapshots

When you execute the Delete Snapshot action from the Ransomware Defender Event History the list of deleted snaphshots may be missing some snapshots even though they were actually deleted.

Workaround: Verify by logging into OneFS directly and verify that all Snaphots that are listed in the Action History as having been created by Eyeglass have been deleted.

—————————————————–

T4950 Alarm text for failed Snapshot delete references Snapshot create

The alarm that is raised when a Snapshot delete fails contains the text “Failed to create snapshots” instead of “Failed to delete snapshots”.

Workaround: Check the Action Log for the event to determine whether a snapshot create or delete has failed.

—————————————————–

T4955 Subsequent Create Snapshot action will delete reference to previously created snapshots if an error occurs during the create

The Create Snapshot action can be executed multiple times for a given event.  If it has been run previously and then run again and the subsequent run has an error on creating any snapshot, the Snapshots list only contains the snapshots from the last run. Previously created snapshots are no longer displayed.

Workaround: Check the Event Action History log for complete list of created snapshots.

—————————————————–


T5024 Major Events may reappear in the Active Events list after being recovered

An event which crosses the Major threshold and is recovered to Historical Events without being locked out (Stop lockout timer) may appear in the Active Events list again immediately after being recovered (Mark as recovered).

Workaround: Stop the lockout timer and Mark the event as recovered again.  This may have to be repeated several times.  Locking the affected user out followed by Restore User Access and then archiving the event as recovered may also resolve this issue.



Security Guard

T4197 Security Guard Error for Unlicensed Cluster

Security Guard fails when Isilon Cluster selected to run is not licensed.

Since Ransomware Defender dynamically picks priority Isilon Clusters to license (refer to Eyeglass Ransomware Defender Admin Guide for details on selection of licensed cluster) for the case where Eyeglass is managing more clusters than there are Ransomware Defender Agent Licenses, one cannot be sure the selected Cluster in Security Guard is actually licensed at the run time.

Workaround: Deploy same number of Ransomware Defender Agent Licenses as the number of Isilon Clusters being managed by Eyeglass.

—————————————————–

T4228  Security Guard Temporary Errors

Security Guard may occasionally error with 0 files written.   

Workaround: This condition typically clears it self on the next Security Guard run. It does not affect workflow for a real security event.

If it does not clear, follow these steps to recover:

  1. Archive as Unresolved

  2. Run Security Guard manually to ensure that it is operational again.

—————————————————–

T4965  Security Guard User Authentication Fails

When provisioning the Security Guard Active Directory User and password, Eyeglass checks that the username name and password entered can be successfully authenticated.  It may occur on initial configuration that you will see the message “user could not be authenticated” even though the username and password are correct.

Workaround: After confirming that the username and password are correct, subsequent provisioning is successful.

—————————————————–

Manage Services

T4192 Manage Services status not accurate after ECA Node Down

After an ECA node has been powered off / gone down and subsequently powered back on and rejoined to the ECA cluster it continues to display the Inactive state in the Eyeglass Manage Services window even when it is active again and healthy.

Workaround:  Once the node is back up, remove it from the Manage Services window by selecting the X in the node’s row.  Wait 1 to 2 minutes and the service should be rediscovered with the correct state.

—————————————————–

T3724 Manage Services state may not be accurate when connection to Isilon Cluster HDFS is down

If there is a connectivity issue between the Eyeglass ECA and the Isilon cluster HDFS the Manage Services state is inconsistent and may display state as OK, WARN or ERROR.

Workaround:  None available.  Once the connection is restored, the database service must be brought up again and then the state will correctly state OK.

—————————————————–



General

T4230 Blank Ransomware Defender Window

After archiving an Event the Ransomware Defender window tabs may appear empty.   

Workaround: Close and reopen the Ransomware Defender window.

—————————————————–

T4183  Refresh does not work for Ransomware Defender multi-page lists

Ransomware Defender window with multiple pages is not updated by Refresh except for the first page.   

Workaround: To update the list go back to the first page of the list.

—————————————————–

T4336  Eyeglass Restore does not restore Security Guard Job History

Security Guard historical log files are not restored when you restore configuration from backup.   

Workaround: None available.

—————————————————–

T4549  Ransomware Defender Settings Submit button enabled when no changes made

When the Ransomware Defender Settings window is opened the Submit button is enabled even though no changes have been made to any settings. If you navigate to another view and come back to Settings, the Submit button is then correctly disabled until a change is made on the page.  

Workaround: None required.

—————————————————–