The Analytic->Alerts page allows you to set alerts of "Total Egress", "Queue Injection" and "Ransomware Detection" for Audit enabled shares. 



Total Egress

This can be used for admin to receive alerts unexpected egress charges. You can specify 0.2TB or 1.5TB for example.



Queue injection

This can be used to detect unexpected bulk operations, including ransomware. Please note this is different from file counts. Copying a file may create several events. Some applications create multiple events while accessing a file. 



Ransomware Detection

Detect file write/rename operations to specific file name patterns. If a match is detected, then the system will send an alert email. This detection is not perfect, however, as it is designed to detect known ransomware with certain file extensions. 


"Shutdown immediately" will shut down the device upon detecting matching file extensions. 


"Safe Mode immediately" will allow the CacheDrive to enter into Safe Mode upon detecting matching file extensions. In Safe Mode, all share become read-only and stop upload/downsync on the detecting CacheDrive.


You can use Regular Expression (ERE) to specify customized ransomware pattern detection rules (whitelist/blacklist).The specified regular expression is only checked against file names and not file paths. Please note that default pattern match is performed using glob pattern, but you need to specify whitelist/blacklist in ERE.


Example 1: Specify \.(locked.*|paycoin)$ in the whitelist so that filename with extension locked, locked2023, ..., and paycoin will not be flagged as ransomware. 


Example 2: Specify @ to whitelist so that you can contain atmark in your filename without triggering ransomware detection. However, please note that it is very common for hackers to include their contact emails in encrypted file names. So it is better to use a more qualifying patter such as adding a space before and after the atmark such as \s@\s if this pattern works for you.


"Test Ransomware Detection" can be used to to test ransomware detection on a device, select the device and enter the file name, then click the "RUN TEST" button. Note that this is just a "paper test" that does not generate any real system response.