Manage potential ransomware threats

When threat detection is enabled in a backup job, the agent checks for potential ransomware threats when running the backup job. You can enable ransomware threat detection in:

Windows Image backup jobs. Beginning with Windows Agent 9.40 with the Image Plug-in and Portal 9.40, you can enable threat detection when you create or edit an Image backup job. When this option is enabled, the agent checks for potential ransomware threats when running the backup job. See Add a Windows Image backup job.
Windows Local System backup jobs. Beginning with Windows Agent 9.00 and Portal 8.90, you can enable threat detection when you create or edit a Local System backup job. When this option is enabled, the agent checks for potential ransomware threats when running the backup job. See Add a Windows Local System backup job.
vSphere backup jobs. Beginning with vSphere Recovery Agent (VRA) 9.10 and Portal 9.10, you can enable threat detection when you create or edit a vSphere backup job. When this option is enabled, the VRA checks for potential ransomware threats on Windows VMs when running the backup job. See Add a vSphere backup job.

Note: The agent does not check for potential ransomware threats in a seed backup or the first backup when threat detection is enabled in a job.

If an agent detects a potential ransomware threat, the job or backup is flagged in Portal. Potential threats are flagged:

In the Current Snapshot on the Dashboard. See Monitor backups and computers using the Current Snapshot.
On the Computers and Monitor pages. See View computer and job status information and View, export and email backup statuses on the Monitor page.
In the Daily Status report. See Daily Status Report and Schedule the Daily Status Report.
In email notifications to Admin users and child site email addresses, if email notifications are configured centrally in a Portal instance. See Set up email notifications for potential ransomware threats and Set up email notifications for a child site.
When you restore data or delete specific backups from a Local System backup job. See Restore Windows files and folders and Delete specific backups from vaults.
When you restore data or delete specific backups from an Image backup job. See and Delete specific backups from vaults.
When you restore data or delete specific backups from a vSphere backup job. See Restore vSphere data and Delete specific backups from vaults.

If a Windows server has a potential threat, the server is not scanned for threats again until the potential threat warning is cleared for the job.

If a VM has a potential threat, the VRA does not scan the VM again during backups until the potential threat warning is cleared for the job. If a VM has a potential threat but is missing from the vSphere environment during the next backup, the backup will still have a potential threat flag until an Admin user clears the potential threat warning.

When a potential threat is detected on a Windows server or VM, you can sign in to the server or VM in your environment and investigate whether it is infected with ransomware. An Admin user in Portal can then manage the threat:

If the server or VM is not infected or the ransomware threat has been addressed, an Admin user can clear the potential threat warning from the job.
If the server or VM is infected with ransomware, an Admin user can restore from a backup (also known as safeset) created before the attack. Backups with potential threats are identified in the Restore dialog box so you can choose a backup with no potential threat. After the restore, backups with potential ransomware threats remain in the vault and available for restore. To remove these backups (safesets), delete them from the vault and synchronize the job. See Delete specific backups from vaults and Synchronize a job. An Admin user can then clear the potential threat flag from the job.

For an overview of the recommended process in VMware vSphere environments, see Best practices: Manage ransomware threats on vSphere VMs.

To manage a potential ransomware threat:

When signed in to Portal as an Admin user, click Computers on the navigation bar.

The Computers page shows registered computers.
Find the computer or environment with the potential threat, and expand its view by clicking its row.
Click the Jobs tab.
Find the job with the potential threat, and click Manage Potential Threat in its Select Action menu.

Note: The Manage Potential Threat option does not appear for a job that is restored from another computer. To manage a potential threat for a job, you must find the job on the original computer, if it exists, or re-register a new computer to the vault as the original computer. See Restore data to a replacement computer.
In the Manage Potential Threat box, do one of the following:
- To restore from a backup before the potential ransomware threat was detected, select Recover and then click Continue.
  - If you are restoring from a Windows Local System backup job, a calendar with a list of backups appears in the Restore dialog box. "Potential Threat" appears beside each backup where a potential ransomware threat was detected. Select the backup (also known as safeset) from which you want to restore files, select restore options, and then click Run Restore. See Restore Windows files and folders.
  - If you are restoring from an Image backup job, restore options appear in the Image Restore dialog box. You can restore entire data volumes or individual files and folders. See Restore Windows volumes from an Image backup and Restore files and folders from an Image backup.
  - If you are restoring from a vSphere backup job, restore options appear in the vSphere Restore dialog box. You can restore entire VMs, restore a VM within minutes, or restore files and folders to a VM. See Restore vSphere data.
  Note: After a restore, backups with potential ransomware threats remain in the vault and available for restore. To remove these backups, delete them from the vault and synchronize the job. See Delete specific backups from vaults and Synchronize a job. An Admin user can clear the potential threat flag from the job.
- If you investigated or addressed the potential threat and are sure that the server or VM is not affected by ransomware, select Clear Potential Threat Warning and then click Continue. In the warning dialog box, click Continue to remove the potential threat flag from the job and all of its backups (safesets).
  
  Note: Clearing potential threat warnings will clear all existing threat warnings from the job and its backups (safesets). However, warning information will still be available in the log files.