Contents
Non-Ransomware Encryption Detection
The Elastio CLI enables proactive detection of file encryption changes across your machines, adding a robust layer of security against insider threats and malicious non-ransomware encryption. This feature operates in background mode on both Linux and Windows or directly via the CLI on Linux.
iScan Modes
-
Dual Encryption Detection Modes:
- Ransomware-and-Entropy-Detection: Combines ransomware detection with non-ransomware encryption detection.
- Full-and-Encryption-Detection: Covers malware, ransomware, and non-ransomware encryption detection.
Comprehensive Reporting
Generates detailed reports highlighting
- Detected non-ransomware encryption.
- Suspicious file activity.
Example report for EBS ransomware scan with encryption detection enabled. The list of encrypted files is limited to (up to 100 entries).
{ "schema":"v1", "scan_target":{ "kind":{ "kind":"path", "path":"/home/ubuntu/test-ed-scan", "meta":{ "asset_source":"elastio:asset:generic-host:s:ip-172-31-40-19", "cpu_cores_count":4, "os_name":"Ubuntu" }, "basic_meta":{ "asset_id":"elastio:asset:file:s:generic-host:s:ip-172-31-40-19:/home/ubuntu/test-ed-scan", "timestamp":"2024-06-11T11:04:08.109171300Z" } }, "name":"elastio:asset:file:s:generic-host:s:ip-172-31-40-19:/home/ubuntu/test-ed-scan" }, "started":"2024-06-11T11:04:20.691576442Z", "finished":"2024-06-11T11:04:21.205944482Z", "child_job_id":"j-01j03fgsgf65ctn25b4fr497f2", "report_data":{ "Ransomware":{ "files":[ ], "files_truncated":0, "summary":{ "errors":[ ], "deduplicated_errors":[ ], "filesystem_traversal_errors":[ ], "inaccessible_dir_entries":{ "entries":[ ], "total_inaccessible_entries":0 }, "total":72, "detected_rans":[ ], "iscan_db_downloaded":true }, "entropy_detection_summary":{ "file_status":[ { "Suspicious":"/home/ubuntu/test-ed-scan/test-dir-2/file_example_ODS_10.ods" }, { "Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file-sample_500kB.doc" }, { "Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file-sample_1MB.odt" }, { "Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file-example_PDF_1MB.pdf" }, { "Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file-sample_1MB.rtf" }, { "Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file_example_XLSX_5000.xlsx" }, { "Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file_example_XLS_10.xls" }, { "Encrypted":"/home/ubuntu/test-ed-scan/test-dir-2/file-sample_500kB.docx" } ] }, "billing_stats":{ "files_scanned_size":25206980, "files_in_resource":74, "files_in_resource_size":25207494 } } } }
Using iScan
To utilize iScan, specify the detection mode using the appropriate switch in the elastio iscan
command. For example:
Example Command
The following command scans an AWS EC2 instance for ransomware activity and encryption changes in background mode:
sudo -E elastio iscan --ec2-instance-id <aws-ec2-instance-id> --vault <vault-name> --monitor --background ransomware-and-encryption-detection
Command Breakdown:
-
--ec2-instance-id <aws-ec2-instance-id>
: Specifies the EC2 instance to scan. -
--vault <vault-name>
: Identifies the Elastio vault for storing results. -
--monitor --background
: Enables continuous monitoring in the background. -
ransomware-and-encryption-detection
: Activates dual ransomware detection and non-ransomware encryption detection.
By leveraging iScan, you enhance your defense against insider threats and malicious encryption activities, ensuring a more secure environment.