We are a University with around 20'000 users with all their files on NetApp filers running ONTAP 9.0/CDOT, and from time to time, we have users who get infected with a crypto-virus and starts encrypting files on all shares they have access to. Cryptoviruses are often not detected by antivirus software, and we were thinking about making an automated lock-down system with a honeypot to detect and stop the outbreak before it becomes a problem/lots of cleanup work.
Before I start, I would just like to check if anyone else already had done this?
My idea is to make a share with enough files so the cryptovirus is busy for a while on this share, and mount it as an early letter in windows on all clients. Then make a script that detects changes on this share and who is doing the changes - then lock down this users account so the user doesn't have access to encrypt anything on later network shares mapped - like home directories and common file areas.
Any ideas or input on this before I start making a solution is welcome.
-- Morten-Christian Bernson, Section for infrastructure, Systems Architect Storage and Backup IT-department, University of Bergen
NetApp created a mechanism that called Fpolicy in ontap. there is an external server-client implementation for it that is completely documented and part of the Manageability SDK and it allows you to get notify via the toolkit about an IO and to tell the filer what to do with this IO in live.