Security

NOTE  Ransomware detection is supported on Workplace ServerWorkplace Server is a component of the Workplace service. It makes all your files accessible through Workplace while retaining local, centralized data storage so that your data is also available via your local area network (LAN). The Workplace service keeps all data on your LAN accessible internally and in sync with Workplace. and Workplace DesktopAlso known as the Workplace Desktop app, and in the context of this documentation, simply "the app," Workplace Desktop is the software installed on a computer that is responsible for synchronizing data between the local drive and the cloud. for Windows and Mac 7.4 or later, and malware detection is supported in all versions. We recommend that you use the most recent versions to enjoy the best possible user experience.

About Security Incidents

The Workplace"Workplace" describes the Workplace service in its entirety. Security Detection & Management feature is designed to contain ransomware and other malware attacks and to keep them from spreading via Workplace.

This feature:

  • Uses a series of complex algorithms to detect ransomware attacks and Symantec Endpoint Protection to detect malware attacks.
  • Automatically quarantines affected devices or files.
  • Stops the syncing process to protect other devices using Workplace.
  • Provides you with a confidence rating for ransomware security incidents.
  • Allows you to manage the incident.
  • Streamlines reversion of all affected files to their state before the attack.
  • Automatically notifies all team administrators and Super Administrators of security incidents by default.
  • Provides you with a mechanism to ignore a ransomware incident reports from certain devices, or to place one or more devices on a Security Excluded Devices list to avoid repeated false positive incident reports.

You'll use the Security page described below, as well as the Ransomware Incident Detail and Malware Incident Detail pages, to monitor and manage the entire process from initial incident detection through all applicable recovery steps.

IMPORTANT  If you have a confirmed ransomware incident, we recommend that you revert the affected files, recycle the device via Workplace, completely uninstall Workplace from the device (refer to Install or Uninstall Workplace Desktop), scrub the device of all malware, reinstall Workplace, and restore the files from the service.

The Security Page

On the Security page, you'll be able to configure security monitoring, review security incidents and the devices and files they have affected, and track devices that have been exempted from ransomware monitoring.

The Incident Grid

The Incident grid displays all security incidents detected. It features the following columns:

Column Definition
ID The system-generated identification code for the specific incident. The first two characters indicate the type of incident. This ID ensures clear communication when discussing incidents.
Type The classification of the incident. The icon helps identify the type at a glance. If Backup appears in parentheses, the incident involves files designated for backup in Workplace.
Status The current state of the alert. Available statuses are:
New
Open
Ignored (ransomware only)
Completed
Started The time at which Workplace first detected suspicious activity.
Source For ransomware incidents, the name of the quarantined device.
For malware incidents, information about the suspicious file.
Resources Affected For ransomware incidents, the number of devices, files, and projects affected by the incident.
For malware incidents, the name of the affected file.

The Security Excluded Devices Grid

The Security Excluded Devices grid, which applies to ransomware detection only, displays all devices that have been temporarily or permanently removed from security incident monitoring. It features the following columns:

Column Definition
DeviceA device is computing device that has access to Workplace, including both mobile devices and computers. The name and operating system of the excluded device.
Owner The user associated with the excluded device.
Excluded The time at which the device was excluded from security monitoring.
Excluded By The user who excluded the device from security monitoring.

How to...