Using GuardMode Scan
Last updated
Last updated
GuardMode Scan is a powerful feature that allows you to scan mounted filesystems for potential ransomware infections or data encryption. This tool is particularly useful when you want to ensure the integrity of your data before restoring it to production environments.
To begin a GuardMode scan on a mounted filesystem:
In the volume view of your mounted filesystem, click on the GuardMode Scan tab.
Click the Scan with GuardMode button to start the scan.
Now, the table will display detected suspicious files in real-time.
The scan results table provides comprehensive information about potentially compromised files. It consists of four columns:
Suspicious File: Lists the path and name of files flagged during the scan.
Entropy Result: Indicates the level of randomness in the file's content, which can be a sign of encryption.
Magic Number Result: Shows whether the file's signature matches its expected file type.
Matched Blocklist Pattern: Displays any blocklist patterns that the file matched against.
If GuardMode Scan detects suspicious files in a snapshot:
Review the scan results carefully.
Understand that a compromised snapshot can indicate an infected system at the time the snapshot was taken.
Do not restore from this snapshot. Instead, navigate to earlier snapshots and scan them with GuardMode.
Continue this process until you find a clean snapshot without any suspicious files.
Use the earliest clean snapshot for your restoration to ensure you're reverting to a state before the infection occurred.