Enabling Windows shadow copies
SES Evolution‘s anti-ransomware protection mode keeps track of when files are modified and encrypted and blocks the process behind these operations if they are deemed malicious. Some files may nonetheless be encrypted before the process is effectively blocked.
If you enable anti-ransomware protection, you are strongly advised to enable the daily creation of shadow copies via SES Evolution. This feature, based on the Windows VSS service, will allow you to quickly restore the few lost files.
WARNING:
Activating shadow copies cannot replace regular backups. You must have a dedicated parallel backup solution.
Requirements
You must meet the following Windows requirements in order to enable shadow copies in SES Evolution:
- Allow the creation of shadow copies for all NTFS volumes on all workstations protected by an SES Evolution agent.
- Reserve disk space for shadow copies on all local NTFS volumes on workstations protected by an SES Evolution agent.
Use the Windows command vssadmin resize shadowstorage to set the size of this space.
For more information, refer to Microsoft documentation
EXAMPLE
Run the command:
vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=15%
to reserve 15% of the space on the C:\ volume to store shadow copies on the C:\ volume.
Enabling shadow copies
- In an agent group’s Policies tab, go to Daily shadow copies.
- Select the Enable daily shadow copies option.
Every 24 hours, SES Evolution will make a shadow copy of local drives on the workstation running on an NTFS file system. Only the last five copies will be kept.
For more information on anti-ransomware protection and the process of restoring encrypted files, refer to: