NetFort Tips & Tricks - Using LANGuardian as an early Ransomware attack detection system

  • 1
  • Idea
  • Updated 3 years ago
Cryptolocker attacks are everywhere at the moment. It's near impossible to prevent this form of infection, links will always be clicked and attachments opened. 

The Ransomware file extensions are changing daily, it can be hard to keep up however the one common factor among all these attacks is the huge spike in File Renames. Please follow the steps below to create a Trend that will monitor the rate of File Renames per second and we will also be setting a threshold. If this threshold is breached then LANGuradian will Email you and you can take immediate action.

  • Make sure your Email Address is in the alerts distribution.
  • Settings --> Periodic Reports.
  • This trend will be based on the report Windows File Shares :: Top Clients by Number of  Events.


  • Run this report over a 24 hour period and make sure the Action field is set to Rename.



  • Now click Actions and select Trend Report.


  • Now go back into Settings and select Trends. Find your newly created trend and click on Alarms.


  • From here you can set a limit (Alarm Level) that you feel would be abnormal depending on your own fileshare activity. I would suggest something in between 1.5 and 2.5 but you can play around with these figures. Set Action to Send Email and click save.
  • The Trend may take some time to get up and running but once its in place it should act as an early warning system for any potential attacks on your Files/Network.

I hope you found this helpful, if you have any queries or issues about this Email or indeed any aspect of your LANGuardian please do not hesitate to contact us here at

Kind Regards,


Photo of Jason McLynn

Jason McLynn, Official Rep

  • 7 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1

Be the first to post a reply!