Administrators and Super Administrators

Workplace Online > Team > Security

Workplace Ransomware Detection & Management is supported on Workplace Server and Workplace Desktop for Windows and Mac versions 7.4 or later.

About Security Monitoring

A ransomware attack that encrypts your files and leaves you without access to them can pose an enormous threat to your business. And the sooner a ransomware attack is detected, the more effective damage mitigation will be.

Workplace"Workplace" describes the Autotask Workplace service in its entirety.'s Ransomware Detection and Management feature:

  • Uses a series of complex algorithms to detect ransomware attacks
  • Automatically quarantines affected devices.
  • Stops the syncing process to protect other devices using Workplace
  • Provides you with a confidence rating for the security incident
  • Allows you to either confirm or dismiss the incident
  • Gives you the tools to revert all affected files to their state before the attack
  • Automatically notifies all team administrators and Super Administrators of security incidents
  • Provides you with a mechanism to ignore an incident report from certain devices, or to place one or more devices on a Security Excluded Devices list to avoid repeated false positive incident reports,

You'll use both the Security page, described below, and the Ransomware Incident Detail page to monitor and manage the entire process from initial incident detection through incident confirmation, quarantine, file reversion, closure, and recycling of the device.

This feature is designed to contain the ransomware attack and to keep it from spreading via the sync process in the case of project files and, in the case of backup files, to provide a way to prevent backups of encrypted files and quickly revert backed up files to their last known-good state. If you have a confirmed ransomware incident, we recommend that you revert the affected files, recycle the device via Workplace, completely uninstall Workplace from the device (refer to Install or Uninstall Workplace Desktop), scrub the device of all malware, reinstall Workplace, and restore the files from the service.

The Security Page

On the Security page, you'll be able to configure security monitoring, review security incidents and the devices they have affected, and track devices that have been exempted from monitoring.

The Incident Grid

The Incident grid displays all security incidents detected. It features the following columns:

Column Definition
ID The system-generated identification code for the specific incident. The first two characters indicate the type of incident. This ID ensures clear communication when discussing incidents.
Type The classification of the incident. The icon helps identify the type at a glance. If Backup appears in parentheses, the incident involves files designated for backup in Workplace.
Status The current state of the alert. Available statuses are:
Started The time at which Workplace first detected suspicious activity.
Source The name of the quarantined device.
Resources Affected The number of devices, files, and projects affected by the incident.

The Security Excluded Devices Grid

The Security Excluded Devices grid displays all devices that have been temporarily or permanently removed from security incident monitoring. It features the following columns:

Column Definition
DeviceA device is computing device that has access to Autotask Workplace, including both mobile devices and computers. The name and operating system of the excluded device.
Owner The user associated with the excluded device.
Excluded The time at which the device was excluded from security monitoring.
Excluded By The user who excluded the device from security monitoring.

How to...


Forward this topic to others