This article documents the CentreStack Antivirus/Ransomware (AVR) policies and offer recommendations for settings based on best practices.
There are a number of AVR policies that may be set either in the Default Group Policy or in the per-tenant Group Policy. This screenshot shows the AVR policies that are available in the Default Group Policy:
For self-hosted CentreStack, in most cases it is recommended to alter the Default Group Policy > Retention Policy such that all tenants are affected. However, there may be some situations where a tenant has specific requirements, in which case the individual per-tenant Group Policy setting(s) may be set, overriding the Default Tenant Policy. See this article to understand the interaction of inheritance and override with Group Policy: Group Policy Inheritance and Override Behavior
Each AVR policy is described below with a recommended setting. The justification for each recommendation is also described below.
- Only allow the following processes to update files (empty: allow all, separate using semicolon (;), i.e. winword.exe;excel.exe): <empty>
This should typically be left empty allowing any executable to update files in the Cloud Drive. If you only wish to allow certain executable to update files in the Cloud Drive, then define that list here.
- The following executables will not be allowed to open files directly from the cloud drive (i.e. qbw32.exe;excel.exe): cmd.exe;cscript.exe;wscript.exe;powershell.exe;python.exe
This should be set to include: cmd.exe;cscript.exe;wscript.exe;powershell.exe;python.exe
Executables in this list will be prevented from access files in the Cloud Drive. Because some malware spreads via scripts, including the most popular scripting engine can go a long way toward preventing malware from spreading.
- Disable a device if the device changes more than n files in 10 minutes: <some value after testing>
This setting should probably read: Disable a device if the device changes more than n files within a 10 minute window
The way this works is the the server code maintains a counter over a 10 minute window that counts the file changes made by each client. After the 10 minute window, the counter for each client is reset to zero. If within that 10 minute window a client exceeds the file change count defined in this setting, then that client will be disabled. It is important to note that a client could be disabled in less than 10 minutes if this value is exceeded within the 10 minute window. For example, suppose this value was set to 100 and a client changed 101 files in less than a minute within the 10 minute window, then the client will be disabled in less than a minute, not in 10 minutes or at the end of the 10 minute window, but as soon as this value is exceeded. However, if this setting was 100 and a client changed 100 files in less than a minute and in the next 9 minutes no additional files were changed then the client would not be disabled.
It is difficult to recommend a specific number for this setting. This setting is extremely useful to prevent malware (especially ransomware) from spreading, but setting this number too low risks disabling legitimate access from a device. It is recommended that this value be set to prevent ransomware but testing and monitoring of clients must be done to ensure that the number selected is not too low to block legitimate access.
When the client is disabled by this policy the CentreStack Windows Client is logged out and this message is displayed if the user attempts to sign in:
The tenant admin will receive email notification if the Notify me when a user account is locked out option is enabled:
When the email is sent for this event it will contain text similar to this:
firstname.lastname@example.org (email@example.com) device_force_signout,2 Hours ago,Device is disabled due to fast update protection:T2BRWP1001 firstname.lastname@example.org (email@example.com) device_disabled,2 Hours ago,Device is disabled due to fast update protection:T2BRWP1001 User One (firstname.lastname@example.org) Client_Login_Success,2 Hours ago,email@example.com,184.108.40.206,When a client is disabled it will be displayed in the tenant's Control Panel > Device Manager. Set the Status=Rejected then click the SEARCH button:
To re-enable the client, click the Allowed check box above.
- Ignore the following processes when applying the above policy (i.e. qbw32.exe; excel.exe):<empty>
It is also difficult to make a recommendation for this setting but this list could include executables that normally change files frequently. This should only be set for apps after testing. For example the Microsoft Office apps have the ability to autosave on a regular basis. It is unlikely that these apps could trigger the Disable a device if the device changes more than n files in 10 minutes but testing could show that it is necessary to exclude some executables that frequently change files .
- Disable uploading of files whose named contain the following text patterns: <empty>
- Disable uploading of files whose names start with the following strings: <empty>
- Disable uploading of files whose names end with the following strings: <empty>
The last three setting can be useful to prevent further spread of ransomware because ransomware often renames files with a fixed pattern (in order for the ransomware to later decrypt affected files). If the pattern in known, then one or more of these settings can be used to prevent affected files from being uploaded to the Cloud Drive.