Overview:
You may have seen a notification from NeuShield that says "NeuShield has detected possible malicious file modifications".
Or you may have gotten an email or a message that says "Data Sentinel suspended overlay commit on the device".
Hello John Smith,
|
Why Am I Getting This?
This email is coming because the device had significant changes to the data and NeuShield is pausing to ensure that the changes are ok with you.
This happens when NeuShield detects too many changes on the overlay that look like good data might have been replaced with unknown or encrypted data. For example if the overlay has a bunch of encrypted files on it and the hard disk has a bunch of legitimate documents on it and the commit cycle would replace the documents with the encrypted data the NeuShield would pause the commit and send this notification to let you know that there could be an issue on that computer (such as a ransomware attack).
How To Check What Was Modified?
The exact files that are modified to trigger this event are stored in the debug log (C:\Program Files\NeuShield\NeuShield Data Sentinel\DebugLog.txt). You can search the log yourself for the data.
Search debug log for:
xxx (yyy) has been maliciously modified
zzz seems have malicious deletions
Note: “xxx” is current file name and “yyy” is previous file name. "zzz" is the folder path.
The events are be visible on the NeuShield Portal under Client Activity.
What To Do?
If you determine that the changes are undesirable or you have ransomware on the system see: What should I do if I am hit with ransomware?
If the changes to your data is normal you can simply resume the overlay commit frequency. To resume the commit schedule you can use the "Restore / Revert" button in the portal. See screenshots below.
Here are the steps:
- Log on to the NeuShield portal.
- Go to the "My Protected Devices" tab.
- Find the device in question and click on it to get to the device details.
- Click the "Restore / Revert" button.
- Select the "Control Overlay" option.
- Select the "Resume" option and click "Continue".
Comments
0 comments
Please sign in to leave a comment.