I need a solution
Hi,
Most of the ransomware variants will go out of their way to try and remove the backup.
On Windows systems, we can see the vssadmin tool being used to remove the volume shadow copies from the system.
For instance, CryptoLocker and Locky will execute a command to delete all of the volume shadow copies from the system.
I'm pretty sure that there are event log entries that are created when this happens, so triggerable events can be detected by a host-based product or maybe SEP can detect this behaviour.
So I wonder how to configure it in SEP client and if it possible to send the email alert once this event is triggered in the server ?
Thanks in advance.
0