Shestakov wrote:Hi Mark,
You are right, we`ve tested the alarm on several VMs which data has been encrypted by the same cryptosystems malware usually use. The alarm was triggered when data had been encrypted and didn`t light up in the normal operation state.
The reason why thresholds are high is that we want to avoid false-positives.
lando_uk wrote:but if a Windows client out there infected a mapped drive on a File server VM (which is what normally happens), I'm not sure there would be high CPU on the file server as the CPU intensive encryption would be using local client CPU.
Users browsing this forum: No registered users and 8 guests