This article shows you how to use :Respond Data Integrity (and Remediation) Analysis.
Data Integrity Analysis/ Remediation allows you to analyze the state of SSProtect-managed content to determine if it has been modified, corrupted, or sabotaged/ Ransomware'd. You can optionally choose to automatically restore content when you're using :Respond. Report results enumerate analyzed items, results, and/ or whether or not content was successfully Restored (when optionally chosen to do so).
For more information related to secure cloud storage, refer to the article, Using :Recover.
This article provides details specific to Data Integrity Analysis (and Remediation), with general use common to all Analysis Types described in the article, Using :Respond. For a :Respond overview, refer to the article, :Respond Introduction.
Setting Up a Data Integrity Execution
The :Respond UI is accessible from the SSProtect notification icon's context menu by choosing Sabotage Remediation and/ or by selecting Data Integrity from the dropdown at the top left:
The Analysis Period will be disabled. Choose the following options:
- Dispatch to Users - This enables the Username list for independent dispatch to Users
- Restore Corrupted - Enables automatic Restore (using :Respond) for items lacking proper Integrity
Data Integrity Analysis is by default - and always - scoped to your Account. When you select Dispatch to Users, you can then choose additional Users from within your Organization to include. In the Username Listbox, hold the CTRL key and click names to add to a selection set, or click the first in a contiguous set, then hold the SHIFT key and click the last - this will select all names in-between.
You cannot execute Data Integrity Analysis without including your own Account, which isn't listed in the Username control. Invalid/ Disabled Users will not be listed. Refer to the Validation section of the article, Managing Organization Users for relevant details.
Optimized Offloading and File Scope
You cannot control the scope of files included in the Analysis. For each User, the software works through locally managed content, which matches the set of files presented by the Managed Files/ Restore Hostlist dialog pane . Refer to the article, Managing Host Data, for related details.
NOTE: The Hostlist doesn't automatically include all managed items for a User for all time - this list changes as Users Remove items that may be Archived (as shown in the Archivelist pane of the same dialog).
Items last converted with Optimized Offloading are not included in the Analysis, but any Hostlist item noted as (Missing) or any other (potential error) state will be included (and Restored when enabled and appropriate). For more information, see the article Operating Modes, controlled by Policy actions specific to Account Configuration described in the article, Managing Your Account.
Shared Content and File Scope
As of v6.3.2, content shared by external parties to your Organization Users does not get included in the Analysis. As a result, shared content cannot (yet) be Integrity-reviewed using :Respond (since scope is specific to Account-local host operation). This will be adjusted in the future based on demand.
Select Data Integrity options, choose additional Users for whom the Analysis should be performed, then select Start. This begins execution on your local host computer - for your Account (as noted above) - and as noted in the article, Using :Respond, you will observe state transitions as each phase of the Analysis executes.
Data Integrity execution securely dispatches data to the cloud, retrieving results locally. This reduces the chances of attacker influence on results while making certain to work with an assured Integrity reference.
Working While Analyzing
During Analysis, you can navigate away from the :Respond UI, perform a Refresh Login... operation, and even Exit and restart the :Foundation Client - without affecting operation. There is a slight delay after you Start operation - during this time controls are disabled, though when re-enabled it's safe to execute any permitted task.
The delay timeframe varies - this is the period of time during which your local files are analyzed. You can generally verify Integrity for hundreds of files in a matter of seconds, though this of course depends on the speed of your local host computer, its' mass storage device performance, and other factors.
When you scope Analysis for other Users, Analysis begins during the first subsequent Login each scoped User performs. This is presented in the Startup sequence, described in the article, 1st Time Use. This requires that each User agree to execute the scheduled Analysis, else Login is denied. Future releases will modify behavior to work in the background, at a low priority, to minimize User disruption and computational impact to the host.
Controlling Execution with the Userlist
Analysis will not proceed to the (final) Report State until all Users have performed the Analysis, making up the final required dataset. If some Users are not available, or unaware that you require them to carry out this action, you can utilize the Userlist for assistance.
During Integrity Analysis execution, the Userlist button on the right and above the Analysis Sets (which are disabled during Analysis) will be enabled. Click the button to gain access to the set of scoped Users and their respective progress, shown below (the button changes to Analysis Sets so you can return):
Choose any User's line-item, then Notify to dispatch an email message that notifies the User of the Analysis requirement and additional request for Refresh Login... operation. Subsequent User Login will result in a Startup prompt for Analysis execution. Similar to the initial Analysis timeframe for local host execution, the period of time required for User execution varies (in the same way and scoped to the same type of information).
This typically takes a matter of seconds, though for thousands of files can take 10s of seconds if even a minute or two (rare).
If a User is non-responsive and you wish to complete the execution without their information, you can select his/ her associated line-item in the Userlist, then click Abort. This will remove the User from the Analysis (as indicated by the subsequent Abort status), which can unblock final execution for you to see results. Note that you can always perform another Analysis operation including this User, at any time.
User Execution Failure
If execution fails for an individual User, the system attempts to perform a User Abort operation. This not only unblocks continued Data Integrity Analysis execution, but also ensures Users won't be repeatedly prompted to perform Data Integrity Analysis after Login.
Working Around Stuck Users
If you encounter a condition that prohibits User Abort, contact Support. To regain immediate Analysis capability, Abort the Managing Analysis Set, then Remove it before submitting a new request (perhaps without the offending User, at least until problems are identified and addressed).
As noted in other related documentation, other Privileged Users not scoped as a part of an Active Analysis cannot start a new (or different) Analysis operations until your request completes. As noted, this requires Analysis completion by all scheduled Users (Closed or Aborted).
Also note that other Privileged Users (in your Organization) cannot command individual Users with the Userlist. This can be modified in future releases, based on demand.
Remediation and Restored Version Details
When you perform a Data Integrity Analysis and choose the optional Restore Corrupted option, items found to be different than expected get renamed with a, ".bak" extension, then replaced with the latest secured version from the cloud. This does not always result in the latest version of the document.
:Recover allows you to Restore the last version of a managed item - though the last version you can access. Rules are subtle but intricate, and generally not an issue though you may wish to review the article, Managing Archive Data, for details.
Analysis Line-Item Details
On the original page (which you can reach by choosing Analysis Sets from the Userlist), you will see the resulting Analysis Set after you click Report (to complete the Analysis, as noted in related documentation). The resulting line-item includes the date/ time (UTC) the Analysis was started, the owner (an Organization Administrator, Delegate, or Individual Account, which will be your Account for these purposes), and the additional details explained in the article, Using :Respond, and also below.
The Results/ Risk column displays the number of analyzed items, the number found corrupted, and the number restored when the Analysis is executed with the option, Restore Corrupted as follows:
x of y/ z
x is the number of Restored items (requires Restore Corrupted and :Recover)
y is the number of items found to be corrupted, i.e. don't match cloud integrity
z is the total number of analyzed items for the Analysis scope
This information is also available on the Userlist display with each associated participant, though in a slightly different (and straightforward) format.
You will find all related details in the final Report associated with each Analysis, available by choosing, View Report. For additional information, refer to the article, :Respond Reports.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to firstname.lastname@example.org, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v9.8.0 of the :Foundation Client