Using GuardMode Scan
Last updated
Last updated
GuardMode Scan is a powerful feature that allows you to scan mounted filesystems for potential ransomware infections or data encryption. This tool is particularly useful when you want to ensure the integrity of your data before restoring it to production environments.
To begin a GuardMode scan on a mounted filesystem:
In the volume view of your mounted filesystem, click on the GuardMode Scan tab.
Click the Scan with GuardMode button to start the scan.
Now, the table will display detected suspicious files in real-time.
Tip. Always scan mounted snapshots before restoring data to production environments. This best practice helps prevent the introduction of compromised data into your systems.
The scan results table provides comprehensive information about potentially compromised files. It consists of four columns:
Suspicious File: Lists the path and name of files flagged during the scan.
Entropy Result: Indicates the level of randomness in the file's content, which can be a sign of encryption.
Magic Number Result: Shows whether the file's signature matches its expected file type.
Matched Blocklist Pattern: Displays any blocklist patterns that the file matched against.
Tip. Files with high entropy, mismatched magic numbers, or those matching blocklist patterns are more likely to be compromised. Regularly update your GuardMode blocklist to stay protected against the latest threats.
If GuardMode Scan detects suspicious files in a snapshot:
Review the scan results carefully.
Understand that a compromised snapshot can indicate an infected system at the time the snapshot was taken.
Do not restore from this snapshot. Instead, navigate to earlier snapshots and scan them with GuardMode.
Continue this process until you find a clean snapshot without any suspicious files.
Use the earliest clean snapshot for your restoration to ensure you're reverting to a state before the infection occurred.