Within the past few years, the focus of many security teams has been shifting from pure prevention of cyber-attacks to richer detection and response/recovery capabilities. With the Snapshot-Based Ransomware Recovery tool, domain administrators can access their data on a snapshot within 15-30 minutes and recover them within minutes (for small folders) or hours (for very large folders). The snapshots of the domain's data are taken according to the following schedule:
- 0-7 days, every 4 hours (6 snapshots per day)
- 8-15 days, every 12 hours (2 snapshots per day)
- 16-30 days, every 24 hours (1 snapshot per day)
The Snapshot-Based Ransomware Recovery is included with the Platform Enterprise plan and GxP with Governance Plan. The feature is also available as an add-on for Platform Business and Enterprise Lite plans. Contact your account manager or Egnyte Sales team to learn more on how to get access to this feature.
Skip Ahead to...
Mounting a Snapshot
Remounting a Snapshot
Browsing Files on the Mounted Snapshot
File Preview or Download
Restoring Folders and Files From a Snapshot
Frequently Asked Questions
Mounting a Snapshot
A domain admin can mount a snapshot by selecting one of the available snapshots and then clicking on Mount snapshot.
On the next pop-up, the admin can specify the name of the preview and the reason for it (the most common cause is Recovery from Ransomware attack) and then click the Mount button.
Although rare, sometimes links and permissions may not be available in the snapshot to restore. If users plan to move existing files to a different location before restoring content from the snapshot, they can mount it but may lose links and permissions. This constraint doesn't apply if restoring content to the same location. However, it's recommended not to mount such a snapshot
It will take 15-30 minutes (and usually less than that) to mount the snapshot - the status will change from Mounting to Mounted. Also, the system will send emails when the mounting process begins and the snapshot is ready for preview.
Remounting a Snapshot
The user will also have an option to remount an already unmounted snapshot provided no other snapshot is already mounted or being mounted. From the history table, the user can click on the three dots and then the Remount option from the context menu.
Browsing Files on the Mounted Snapshot
One can click on the Preview button from the currently mounted snapshot tile.
That will open a Snapshot Preview that looks similar to a regular Web UI preview, but it will have a blue border around it as a reminder that it is a snapshot preview, not the regular domain preview:
File Preview or Download
An admin can preview or download files on a snapshot to double-check that these are the file versions that are needed to be restored:
Restoring Folders and Files From a Snapshot
To restore folders and files from a snapshot, the admin can select specific folders and then select Restore in the context menu for the folder (file):
- The user can now restore up to 10 folders in a single restore job. However, there is no limit on the number of files being selected for restoration.
- The user can also have up to 3 concurrent restoration jobs in progress.
Based on the reason selected at the time of mounting the snapshot, the mechanics of restoration will be slightly different.
When restoring the content from the snapshot that was mounted with the reason Recovery from Accidental deletion, the latest version of the deleted file will be restored along with the associated links and permissions. The user will be informed accordingly, as shown below before they choose to restore the content.
When restoring the content from the snapshot that was mounted with the reason Recovery from Ransomware attack or Other, the user will have two options as shown below.
In case of a ransomware attack, depending on the ransomware type, the admin might have experienced a situation when the existing files are encrypted by ransomware. For that situation, the default and recommended option is to "Restore files to the same location." The links to the files, comments, folder permissions, etc., are kept intact with this option.
There might be a situation when ransomware deletes the existing files (so that the files are in Trash now) and creates new files (with cryptic names) in the folder. In this case, it is better to select the option to move all the existing files to a different location before restoring them. That will rename the original folder and restore the files into a folder under the original path.
Currently, the snapshots do not contain comments, custom metadata, workflows, etc. They will not be restored when the "Move all the existing files to a different location before restoring them to the same location" option is selected. The files, folders, links, and permissions will be restored.
Once the restoration begins, the user will be presented with the confirmation as shown below.
Users can track the restoration jobs as shown below.
Users can also get more details about a specific restoration job by clicking on the restoration job as shown below.
Sometimes while restoring the files using the option, Restore files to the same location, it may happen that after restoring the files the number of files exceeds the limitation of 50k files per folder and in that case, the restoration job may fail or complete with errors. In such occurrences, the user can select the other option as Move all the existing files to a different location before restoring them to the same location.
Note that you may not see this option Move all the existing files to a different location before restoring them to the same location to restore the content if you had mounted the snapshot with the reason “Recovery from Accidental deletion." In this case, you will need to unmount the snapshot and then mount it again for a different reason.
Limitations
File versions that are directly deleted through the Version Pruning Policy cannot be restored using the Advanced Snapshot & Recovery feature.
- This limitation applies only to file versions deleted before the feature is enabled. Once the feature is activated, file versions will be retained and are not subject to deletion via the Version Pruning Policy.
Frequently Asked Questions
Can I create a snapshot at a particular time?
Can the snapshots be kept for longer than the 30-day window?
Is there a limit to the number of files/folders that can be restored?
Is there a limit to the number of restoration jobs that can be processed at the same time?
Which file version is restored from the snapshot?
Are the encrypted versions/files deleted during the restoration process?
Can I have multiple mounted snapshots at the same time?
How long can I keep the snapshot mounted?
How do I know which snapshot to mount?
How do I know which files or folders to restore?
Can I recover data even when they are purged from the Trash?
When the admin previews or downloads files using the snapshot, is it recorded in the audit?
When the files are restored by a Restoration Job, is it recorded in the audit?
When the admin mounts a snapshot, is it recorded in the audit?
When the admin starts a Recovery Job, is it recorded in the audit?
Can I create a snapshot at a particular time?
No, currently, all the snapshots are created automatically according to the following schedule:
- 0-7 days, every 4 hours (6 snapshots per day)
- 8-15 days, every 12 hours (2 snapshots per day)
- 16-30 days, every 24 hours (1 snapshot per day)
Can the snapshots be kept for longer than the 30-day window?
Not right now. The focus of Snapshot-based Ransomware Recovery is to allow recovery from a ransomware attack. Usually, the encrypted ransomware files are discovered within 1-3 days of the attack. Hence, the 30-day window should be large enough. In the future, product capabilities may allow larger time windows.
Is there a limit to the number of files/folders that can be restored?
Yes, there is currently a limit of up to 10 folder per restoration job. Please note that if the user is selecting files to be restored, there is no such limit on number of files to be selected. If the user needs to restore more than 10 folders, they should split the task into multiple restoration jobs. This limit is in place to ensure a smooth and fail-safe restoration process.
Sometimes while restoring the files using the option Restore files to the same location, it may happen that after restoring the files the number of files exceeds the limitation of 50k files per folder and in that case, the restoration job may fail or complete with errors.
Is there a limit to the number of restoration jobs that can be processed at the same time?
Yes, there is currently a limit of up to 3 concurrent restoration jobs being processed simultaneously. If the user has already created 3 restoration jobs and all of them are being processed, they need to wait until at least one job to be completed before creating any new restoration job.
Which file version is restored from the snapshot?
The latest version of a file from a snapshot will be added to the existing version of the file in the domain. If the destination file does not exist in the domain, the latest version of the file on the snapshot will be restored.
Are the encrypted versions/files deleted during the restoration process?
No, the restoration job will restore the files (versions). It does not delete the encrypted files/versions . Admin can delete the files that are not needed after the restoration.
Can I have multiple mounted snapshots at the same time?
Only one snapshot can be mounted at a time . If it is needed to mount another snapshot, it is necessary to unmount the currently mounted snapshot.
How long can I keep the snapshot mounted?
If no restoration jobs are running for a mounted snapshot, the snapshot will be unmounted after some time (usually, 1-3 days since it was mounted) .
How do I know which snapshot to mount?
The file Audit Report contains records of the file activity of users, so it is possible to identify when a user uploads many files starting from a specific point in time. If it happens to be the ransomware activity, a snapshot created before that specific point in time should be mounted for recovery.
How do I know which files or folders to restore?
The file Audit Report contains records of the file activity of users, so it is possible to identify when a user uploads many files starting from a specific point in time. If it happens to be the ransomware activity, then files and folders impacted by the action should be restored from the snapshot.
Can I recover data even when they are purged from the Trash?
Yes, when the feature is turned on for a domain, it is possible to recover the data deleted from Trash - if they were deleted within the sliding 30-day window for which the snapshots are kept.
When the admin previews or downloads files using the snapshot, is it recorded in the audit?
Yes, there will be records in the File Audit Report:
-
"Access": "Web UI - Snapshot Preview"
- This tells the user that these audit entries result from snapshot preview action from the Web UI.
-
"Action":
-
"Preview on Snapshot"
- This tells the user that the file was previewed from the snapshot.
-
"Download from Snapshot"
- This tells the user that the file was downloaded from the snapshot.
-
"Preview on Snapshot"
When the files are restored by a Restoration Job, is it recorded in the audit?
Yes, there will be records in the File Audit Report:
-
"Access": "Restoration Job"
- This tells the user that these audit entries result from initiating a restoration process from the Web UI.
-
"Action": "Restore from Snapshot" OR "Restore from Snapshot – Download Link" OR "Restore from Snapshot – Upload Link"
- Restore from Snapshot: This tells the user that the file was restored from the snapshot.
- Restore from Snapshot - Download Link: This tells the user that the download link for the file was restored from the snapshot.
- Restore from Snapshot - Upload Link: This tells the user that the upload link for the folder was restored from the snapshot.
When the admin mounts a snapshot, is it recorded in the audit?
Yes, there is a separate Snapshot Recovery Audit Report, where users see information about who initiated the mounting of a snapshot when the snapshot was unmounted.
When the admin starts a Recovery Job, is it recorded in the audit?
Yes, in the Snapshot Recovery Audit Report, users see information about who initiated the restoration job.
Learn more about Snapshot Based Ransomware Recovery by watching a Quick Tip on Egnyte University: Snapshot-Based Ransomware Recovery.