Within the past few years, the focus of many security teams has been shifting from pure prevention of cyber-attacks to richer detection and response/recovery capabilities. With the Snapshot-Based Ransomware Recovery tool, domain administrators can access their data on a snapshot within 15-30 minutes and recover them within minutes (for small folders) or hours (for very large folders). The snapshots of the domain's data are taken automatically every four hours and are kept for two weeks.
The Snapshot-Based Ransomware Recovery is available only with the Platform Enterprise plan.
The feature is currently in the Limited Availability mode. Platform Enterprise customers can request to turn it on via their Customer Success Manager or via Egnyte Support ticket.
Skip Ahead to FAQ's...
Mounting a Snapshot
A domain admin can preview (or, in technical jargon, "mount") a snapshot. Admin can specify the name of the "preview," the reason for it (the most common reason is "Ransomware Recovery"), and choose a date and then a particular snapshot from the list:
It will take 15-30 minutes (and usually, less than that) to mount the snapshot - the status will change from "Mounting" to "Active." Also, the system will send emails when the mounting process begins, and the snapshot is ready for preview.
Browsing Files on the Mounted Snapshot
On an "Active" snapshot, one can click on the three dots and then on "Preview" in the context menu:
That will open a Snapshot Preview that looks similar to a regular Web UI preview, but it will have a bar on top as a reminder that it is a snapshot preview, not the regular domain preview:
File Preview or Download
An admin can preview or download files on a snapshot to double-check that these are the file versions that are needed to be restored:
Restoring folders & files from a snapshot
To restore folders and files from a snapshot, the admin can select specific folders and then select "Restore" in the context menu for the folder (file):
Depending on the ransomware type, the admin might have experienced the situation when the files are encrypted by ransomware "in place" - when the content of the existing files is encrypted. For that situation, the default option is to "Restore files in the same location." The links to the files, comments, folder permissions, etc., are kept intact.
Sometimes, though, there might be a situation when ransomware deleted the existing files (so that the files are in Trash now) and created new files (with cryptic names) in the folder. In this case, it is better to select the option to move the encrypted files into a different location. That will rename the original folder and restore the files into a folder under the original path.
Currently, the snapshots do not contain links, permissions, custom metadata, workflows, etc., so they will not be restored when the "Move all the encrypted files to a different location" option is selected. Only the files and folders will be restored.
Frequently Asked questions
Can I create a snapshot at a particular time?
No, currently, all the snapshots are created automatically, approximately every four hours .
Can the snapshots be kept for longer than the 14 day window?
Not right now. The focus of Snapshot-based Ransomware Recovery is to allow recovering from a ransomware attack . Usually, the encrypted ransomware files are discovered within 1-3 days of the attack. Hence, the 14-day window should be large enough. In the future, product capabilities may allow larger time windows.
Which file version is restored from the snapshot?
The latest version of a file from a snapshot will be added to the existing version of the file in the domain . If the destination file does not exist in the domain, the latest version of the file on the snapshot will be restored.
Are the encrypted versions/files deleted during the restoration process?
No, the restoration job will restore the files (versions). It does not delete the encrypted files/versions . Admin can delete the files that are not needed after the restoration.
Can I have multiple "active" ("mounted") snapshots at the same time?
Only one snapshot can be "active" (or "mounted") at the same time . If it is needed to mount another snapshot, it is necessary to unmount the currently active snapshot.
How long can I keep an active ("mounted") snapshot?
If no restoration jobs are running for an active snapshot, the snapshot will be unmounted after some time (usually, 1-3 days since it was mounted) .
How do I know which snapshot to preview ("mount")?
The file Audit Report contains records of file activity of users, so it is possible to identify when a user uploads many files starting from a specific point in time. If it happens to be the ransomware activity, a snapshot created before that specific point in time should be mounted for recovery.
How do I know which files or folders to restore?
The file Audit Report contains records of file activity of users, so it is possible to identify when a user uploads many files starting from a specific point in time. If it happens to be the ransomware activity, then files and folders impacted by the action should be restored from the snapshot.
Can I recover data even when they are purged from Trash?
Yes, when the feature is turned on for a domain, it is possible to recover the data deleted from Trash - if they were deleted within the sliding 14 day window for which the snapshots are kept.
When an admin previews or downloads files using the snapshot, is it recorded in the audit?
Yes, there will be records in the File Audit Report:
- "Access": "Web UI - Snapshot Preview"
- "Preview on Snapshot"
- "Download from Snapshot"
When the files are restored by a Restoration Job, is it recorded in the audit?
Yes, there will be records in the File Audit Report:
- "Access": "Restoration Job"
- "Action": "Restore from Snapshot"
When an admin mounts a snapshot, is it recorded in the audit?
Yes, there is a separate Snapshot Recovery Audit Report (released on Jan. 20, 2022), where you can see information about who initiated the mounting of a snapshot when the snapshot was unmounted, etc.
When an admin starts a Recovery Job, is it recorded in the audit?
Yes, in the Snapshot Recovery Audit Report (released on Jan. 20, 2022) you can see information about who initiated the restoration job.