PowerTech AV Automatically Detects Ransomware Activity
June 29, 2022 Alex Woodie
IBM i shops that are concerned about ransomware attacks may be interested in a new release of PowerTech Antivirus from HelpSystems, which can automatically detect ransomware activity on the IBM i system and block it before it can cause damage. There’s also a nifty new “canary file” feature that will hopefully keep IBM i users from falling down the coal mine.
PowerTech Antivirus, which formerly carried the Stand Guard Anti-Virus label, was originally developed by Bytware to detect and prevent viruses from infecting the IFS on IBM i. The software, which HelpSystems obtained in a 2008 acquisition, uses an IBM i port of McAfee’s Anti-Malware Engine, which is kept up to date on the latest malware circulating in the wild.
As ransomware attacks proliferated, HelpSystems added new features to prevent ransomware from successfully encrypting data on the IFS. With the launch of Powertech AV version 8.05 earlier this year, HelpSystems bolstered the ransomware functionality with a couple of key capabilities.
For starters, the software can now detect suspicious file activity on the system and automatically block the user profile associated with the activity. The software gives customers the option to specify the sensitivity of the detection engine on a scale of 1 to 100, where 1 is the least strict and 100 is completely locked down, according to Sandi Moore, principal security consultant with HelpSystems.
“Someone who is renaming files, deleting files, encrypting files very rapidly — that is obviously going to hit a higher suspicion rate,” Moore said in a video on the new function posted to the HelpSystems website. “If you’re on a very low number, you’re going to have a really high tolerance for that activity.”
Moore recommends that customers monitor how PowerTech AV’s ransomware detection functionality is working to dial in the sensitivity level, or to create exceptions for users that need to create, modify, delete, and encrypt files as part of their jobs. Admins can also specify the software to ignore certain directories.
PowerTech AV 8.05 brings another compelling new ransomware function: canary files.
Just like the canaries that miners used to lower into coal mines to detect hazardous gases, the canary file is designed to surreptitiously detect noxious users messing around on the IBM i where they shouldn’t be.
Moore explained how it works:
“With the canary file, if someone renames or deletes or tries to modify the canary file, they will be automatically blocked by the software,” she said. “The idea here is to create a file that looks really enticing to a bad guy . . . because they’re pretty sure that you’re going to pay ransom to get that file back. As soon as they try to do that encryption or that rename or that delete or modification, they will be blocked.”
For example, the customer may create a canary file that resembles a customer master file, one of the most valuable files that an IBM i shop may have (and which is an obvious target for a cyber criminal). After creating the canary file, the PowerTech AV user can set the trap designed to ensnare hackers snooping around on their system.
The software doesn’t modify the user profile at all, Moore said, but users are blocked from accessing data. If a legitimate user makes a mistake and gets tripped up by the canary file, the admin can quickly unblock the user with a few keystrokes.
“We’re very excited to bring this functionality on top of the current ability to scan for and find ransomware that’s on the IBM i,” Moore said. “This gives us a little extra leg up where we’re able to detect activity that’s coming from an external source.”
For more information on the new features, check out the release notes for PowerTech AV.