Skip to main content
Version: 2.14.0

Ransomware Defender

Ransomware Defender monitors user behavior patterns associated with ransomware activity, particularly on SMB-mounted file systems. It deploys as a three-VM cluster that processes PowerScale and ECS audit data using an active-active architecture for high availability and resilience against hardware or software failures. It also protects object storage on Dell ECS.

Ransomware Defender supports three detection levels — Warning, Major, and Critical — with automated defense responses that increase with each level.

Key Components

  • Eyeglass Clustered Agent (ECA) — The clustered agent deployed as a vAPP, responsible for processing audit data.
  • Ransomware Defender Application — The full Ransomware Defender stack running in dedicated VMs outside of Eyeglass.

Prerequisites

warning

All workstations and entry points must run current antivirus and antimalware software. Ransomware Defender operates as a second line of defense.

Requirements

Installation

The Eyeglass Clustered Agent (ECA) vAPP must be deployed on a single host or across multiple hosts for high availability. See the Eyeglass Clustered Agent vAPP Install Guide for details.

Licensing

PowerScale or Dell ECS clusters licensed for Eyeglass DR qualify for Ransomware Defender licensing. Each writable cluster requires an agent license and active maintenance, assigned through the License Manager.

note

Eyeglass issues a system alarm when it detects writable clusters with insufficient licenses.

note

Cold or disaster recovery (DR) clusters can be monitored without a license.

Additional Requirements

  • Eyeglass VM deployed and operational
  • Cluster discovery licenses (per node or per cluster)
  • Ransomware Defender feature license
  • Agent license for each writable cluster
  • CPU limits configured for the ECA cluster object in vCenter
  • Hardware sized according to the installation guide

Feature Limitations

  • SMB shares using variable expansion support only %U for snapshot creation.
  • NFS lockout is supported but disabled by default. Use the igls CLI to enable it.
  • NFS lockout requires IP-based license lists for correct lockout behavior.
  • Object storage protection applies to all buckets.