https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-share-isolation-following-virus-identification/m-p/147519#M9216 <P>Hi Jenner,</P> <P>&nbsp;</P> <P>Best thing against malicious attacks would consist of at least the following:</P> <P>&nbsp;</P> <P>1. proper backup (plus snapshot) policy</P> <P>2. setup fpolicy to prevent known extensions, thus preventing encryption</P> <P>3. in case of a known malicious attack:</P> <P>&nbsp; &nbsp;a. Create a snapshot IMMEDIATELY so you know what is going on</P> <P>&nbsp; &nbsp;b. either stop CIFS services</P> <P>&nbsp; &nbsp;c. or set all CIFS shares to readonly (this will impact your business less and prevent encryption/deletion as well</P> <P>The steps in point 3 can be easily automated using powershell SDK or linux shell scripting depending on your environment.</P> <P>Make sure to make the scripting dynamic so newly created/deleted CIFS shares are automatically added.</P> <P>&nbsp;</P> <P>Besides that you should look into a good security information and event monitoring service so you get early alerting on when attacks happen. Unfortunately we cannot prevent such attacks but timely detection can save you loads of work and problems.</P> <P>&nbsp;</P> <P>/Xander</P> Fri, 29 Mar 2019 06:52:30 GMT xandervanegmond 2019-03-29T06:52:30Z https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-share-isolation-following-virus-identification/m-p/147493#M9214 <P>Hi, I have received a request to put together a process&nbsp; tostop access to CIFS shares mapped to virtual desktops in the event of a malicous attack to limit the the impact of users inadvertantly spreading the corruption. My first thought is to simply stop sharing the individual CIFS share or disabling CIFS altogether thus disabling access completely.</P> <P>&nbsp;</P> <P>Both would stop access to the shares but I'm wondering if there are any other options either NetApp or third party that anyone has used and would recommend?</P> <P>&nbsp;</P> <P>Thanks in advance,</P> <P>&nbsp;</P> <P>JennerSRB</P> Wed, 04 Jun 2025 12:41:07 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-share-isolation-following-virus-identification/m-p/147493#M9214 JennerSRB 2025-06-04T12:41:07Z https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-share-isolation-following-virus-identification/m-p/147519#M9216 <P>Hi Jenner,</P> <P>&nbsp;</P> <P>Best thing against malicious attacks would consist of at least the following:</P> <P>&nbsp;</P> <P>1. proper backup (plus snapshot) policy</P> <P>2. setup fpolicy to prevent known extensions, thus preventing encryption</P> <P>3. in case of a known malicious attack:</P> <P>&nbsp; &nbsp;a. Create a snapshot IMMEDIATELY so you know what is going on</P> <P>&nbsp; &nbsp;b. either stop CIFS services</P> <P>&nbsp; &nbsp;c. or set all CIFS shares to readonly (this will impact your business less and prevent encryption/deletion as well</P> <P>The steps in point 3 can be easily automated using powershell SDK or linux shell scripting depending on your environment.</P> <P>Make sure to make the scripting dynamic so newly created/deleted CIFS shares are automatically added.</P> <P>&nbsp;</P> <P>Besides that you should look into a good security information and event monitoring service so you get early alerting on when attacks happen. Unfortunately we cannot prevent such attacks but timely detection can save you loads of work and problems.</P> <P>&nbsp;</P> <P>/Xander</P> Fri, 29 Mar 2019 06:52:30 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-share-isolation-following-virus-identification/m-p/147519#M9216 xandervanegmond 2019-03-29T06:52:30Z https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-share-isolation-following-virus-identification/m-p/147529#M9217 <BLOCKQUOTE><HR /><a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/2791">@xandervanegmond</a>&nbsp;wrote:<BR /> <P>Hi Jenner,</P> <P>&nbsp;</P> <P>Best thing against malicious attacks would consist of at least the following:</P> <P>&nbsp;</P> <P>1. proper backup (plus snapshot) policy</P> <P>2. setup fpolicy to prevent known extensions, thus preventing encryption</P> <P>3. in case of a known malicious attack:</P> <P>&nbsp; &nbsp;a. Create a snapshot IMMEDIATELY so you know what is going on</P> <P>&nbsp; &nbsp;b. either stop CIFS services</P> <P>&nbsp; &nbsp;c. or set all CIFS shares to readonly (this will impact your business less and prevent encryption/deletion as well</P> <P>The steps in point 3 can be easily automated using powershell SDK or linux shell scripting depending on your environment.</P> <P>Make sure to make the scripting dynamic so newly created/deleted CIFS shares are automatically added.</P> <P>&nbsp;</P> <P>Besides that you should look into a good security information and event monitoring service so you get early alerting on when attacks happen. Unfortunately we cannot prevent such attacks but timely detection can save you loads of work and problems.</P> <P>&nbsp;</P> <P>/Xander</P> <HR /></BLOCKQUOTE> <P>Hi Xander,</P> <P>&nbsp;</P> <P>Thanks for the reply and I concur with all the points you have made. i hadn't consdiered making the CIFS shares readonly but that is a good suggestion.</P> <P>&nbsp;</P> <P>Thanks again,</P> <P>&nbsp;</P> <P>Jenner.</P> Fri, 29 Mar 2019 10:12:22 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-share-isolation-following-virus-identification/m-p/147529#M9217 JennerSRB 2019-03-29T10:12:22Z https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-share-isolation-following-virus-identification/m-p/147538#M9218 <P>Hi</P> <P>&nbsp;</P> <P>if you want - NetApp has a full DOC about that topic - "The NetApp Solution for Ransomware"</P> <P><A href="https://www.netapp.com/us/media/tr-4572.pdf" target="_blank">https://www.netapp.com/us/media/tr-4572.pdf</A></P> <P>&nbsp;</P> <P>Gidi</P> Fri, 29 Mar 2019 11:23:21 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/CIFS-share-isolation-following-virus-identification/m-p/147538#M9218 GidonMarcus 2019-03-29T11:23:21Z