Skip to main content

User Guide

Introduction

Welcome to the User Guide for SecuritySnares, a state-of-the-art security solution designed to protect your digital assets from ransomware threats. This document outlines best practices to ensure a smooth and effective deployment of SecuritySnares within your organization.

Purpose

The primary purpose of this guide is to provide step-by-step instructions and best practices for troubleshooting SecuritySnares in a way that maximizes its effectiveness and minimizes disruptions to your business operations.

Scope

This technical guide provides detailed instructions for configuring, troubleshooting, and maintaining SecuritySnares deployments.

Topics Covered:

  • Installation and deployment across various platforms
  • Configuration and customization for organizational needs
  • Alert management and response procedures
  • Common troubleshooting scenarios and solutions
  • Performance optimization and best practices

This guide empowers technical professionals to maximize SecuritySnares' effectiveness in detecting and preventing ransomware threats.

Overview of SecuritySnares Product

SecuritySnares is a small, agent-based prevention technology that identifies files being encrypted on the file system. The algorithm is a two step process:

  1. Identify encryption of data to the hard drive (filesystem)
  2. Determine if the process is a known, trusted process

Once encryption is identified, the process is evaluated to understand its use. The process will either be labeled "trusted" if it should be performing encryption, or "untrusted" if it is unknown if it should be performing encryption. When operating in Protect mode, if the process status is unknown, SecuritySnares will terminate the process to prevent potential ransomware activity.

Target Audience

This guide is designed for technical professionals responsible for deploying and managing SecuritySnares:

  • System Administrators
  • Network Engineers
  • IT Support Staff
  • Managed Service Providers (MSPs)
  • Security Operations Center (SOC) Analysts

The guide assumes familiarity with Windows administration, networking concepts, and enterprise software deployment tools.

Performance Characteristics

SecuritySnares is designed for minimal performance impact on production systems.

Performance Metrics (measured during active ransomware simulation on heavily utilized SQL server):

  • CPU Usage: 0.02% average
  • Memory: Maximum 50MB
  • Disk I/O Latency: Maximum 44KB/sec additional latency

Performance Notes:

  • Brief CPU spikes occur when encryption activity triggers SecuritySnares analysis
  • CPU returns to idle after process evaluation completes
  • Performance impact is negligible even on heavily utilized systems

Understanding SecuritySnares

Architecture

Agents are installed on endpoint machines. Management of agents is primarily done through the web application.

Central to the system is the Agent, a lightweight kernel-mode filesystem driver installed on endpoint devices. It is responsible for evaluating filesystem input/output (I/O), running SecuritySnares's algorithm to identify encryption. Once encryption is identified, the driver will further perform evaluation of the process. Some processes are able to be evaluated for their trustworthiness locally on the machine without Internet connection.

The SecuritySnares' Web Portal acts as a management and reporting console. It is developed in an API-first methodology and is designed to be used programmatically. The SecuritySnares API provides any Internet-connected agent with Threat Intelligence. The Threat Intelligence repository contains analysis of over 3.5 billion executable processes. Here, every process undergoes rigorous examination to determine its trustworthiness, allowing the Threat Intelligence API endpoint to respond with a classification of either trusted or untrusted.

Within the web app, Agents are assigned to an Organization through the use of an API Key. Organizations can belong to a Managed Service Security Provider (MSSP). A MSSP is able to impersonate their customer Organizations to review alerts, configure and deploy agents, and review the overall health of the customer.

Deploy Agents

System Requirements

Supported Operating Systems:

  • Windows 10 and later (64-bit)
  • Windows Server 2016 and later (64-bit)

Software Requirements:

  • .NET Runtime version 6 or later
  • The self-contained .exe installer includes .NET and will install it automatically if not present

Hardware Requirements:

  • CPU: Minimal impact (0.02% average utilization)
  • RAM: Maximum 50MB
  • Disk Space: 200MB for installation and backup storage
  • Disk I/O: Maximum latency addition of 44KB/sec

Network Connectivity (Optional)

SecuritySnares operates effectively in isolated environments (such as OT/ICS networks) without network connectivity. However, network connectivity provides additional benefits:

Benefits of Network Connectivity:

  • Centralized management and monitoring via the web portal
  • Access to Cyber Threat Intelligence database with 3.5+ billion known-good executables
  • Remote configuration and policy management
  • Automated agent updates
  • Centralized alert aggregation

Network Requirements for Connected Deployments:

If network connectivity is available, the agent requires outbound HTTPS access:

  • Domain: *.securitysnares.com
  • Primary API Endpoint: https://api-prod.securitysnares.com
  • Validation Endpoint: https://validate.securitysnares.com
  • Port: 443 (HTTPS)
  • Protocol: TLS 1.2 or higher (TLS 1.3 supported on legacy Windows via libcurl)

Firewall Configuration:

Ensure your firewall allows outbound connections to *.securitysnares.com. No inbound ports need to be opened on endpoint machines.

Proxy Support:

SecuritySnares respects system proxy settings configured in Windows.

Self-Hosted Mode:

For completely isolated environments, SecuritySnares can operate in self-hosted mode where it performs local threat analysis without communicating with the cloud portal. Contact a SecuritySnares representative to discuss the self-hosted solution.

Download

Download the agent from https://portal.securitysnares.com/downloads.

The Agent web page will provide the correct API URL and API Key needed in the next step.

Please note the API Key should be the API Key from https://portal.securitysnares.com/downloads.

Manual Installation

Step-by-step Installation Process:

  1. Download the Installer

  2. Gather Installation Credentials

    • Locate your API Key from the Downloads page
    • Note the API URL (default: https://api-prod.securitysnares.com)

  3. Run the Installer

    • Execute the downloaded installer with administrator privileges
    • When prompted, enter the API URL (use the default for cloud-hosted deployments)
    • Enter your organization's API Key

  4. Verify Installation

    • Check that the SecuritySnares service is running in Windows Services
    • Confirm the agent appears in the web portal at https://portal.securitysnares.com/agents
    • Verify the "Last Updated" timestamp is recent (indicates successful communication)

Installation Exit Codes:

  • 0 = Successful installation
  • Non-zero = Installation failure (check installation logs for details)

Automated Deployment

Installation via SCCM with MSI

msiexec /q /i "SecuritySnares-Agent-x64.msi" /L*V "C:\package.log" API_URL=https://api-prod.securitysnares.com API_KEY=YOUR_API_KEY_HERE

Parameters:

  • /q - Quiet mode (no user interaction)
  • /i - Install the package
  • /L*V "C:\package.log" - Create verbose installation log
  • API_URL - SecuritySnares API endpoint (default: https://api-prod.securitysnares.com)
  • API_KEY - Your organization's API key from the Downloads page
  • Exit code 0 indicates successful installation

Installation via PowerShell

# Download and install SecuritySnares
$apiKey = "YOUR_API_KEY_HERE"
$apiUrl = "https://api-prod.securitysnares.com"
$installerPath = "C:\Temp\SecuritySnares-Agent.exe"

# Silent installation
Start-Process -FilePath $installerPath -ArgumentList "/S", "API_URL=$apiUrl", "API_KEY=$apiKey" -Wait

Installation via Group Policy (GPO)

  1. Copy the MSI installer to a network share accessible by all target computers
  2. Create a new GPO or edit an existing one
  3. Navigate to: Computer Configuration → Policies → Software Settings → Software Installation
  4. Right-click and select New → Package
  5. Browse to the MSI installer on the network share
  6. Select Assigned deployment method
  7. Configure transform file or command-line parameters for API_URL and API_KEY

Installation via Microsoft Intune

  1. Navigate to Apps → Windows in Intune portal
  2. Click Add and select Line-of-business app
  3. Upload the SecuritySnares MSI installer
  4. Configure installation command: 
    msiexec /i "SecuritySnares-Agent-x64.msi" /qn API_URL=https://api-prod.securitysnares.com API_KEY=YOUR_API_KEY_HERE
  5. Assign to target device groups

Uninstallation

To prevent tampering by malicious actors, the SecuritySnares agent requires a token for uninstallation. This is configured in the web-based management console. This token is unknown to SecuritySnares. A customer must ensure they have it.

If going through the GUI, the user would be prompted for the uninstall token.

The agent uninstallation can be performed programmatically by invoking the following:

C:\Program Files\SecuritySnares\SecuritySnares.Agent.exe -uninstall [uninstall token]

Agent Health

Checking the health status of agents is as simple as navigating to https://portal.securitysnares.com/agents.

Once there, the key indicator of agent health lies in their update status. The "Last Updated" column should be recent, signifying the agents are able to communicate with the cloud management web console. This simple step ensures that agents are functioning optimally. Executing this step is helpful when deploying new agents to ensure the API URL and API Key were properly configured.

Reviewing Alerts

Alerts are presented on https://portal.securitysnares.com/alerts.

On this page, analysts are presented with the metadata surrounding the suspicious event. The Process File Path is the suspicious process attempting to encrypt files. The suspicious process can be downloaded by clicking "Download Quarantined File". The file will be downloaded as a password protected zip file. The password is 'infected'.

Should the event be a false positive, analysts are able to Dismiss Alert, or create an entry in the Allow List by clicking Allow. It is strongly recommended to allow processes by their full file path to reduce the potential for allowing a malicious process to execute. The next preferred allow-list method is by checksum, though this method does not handle software updates.

File Recovery Process

When SecuritySnares detects and terminates a suspicious process in Protect mode, it automatically initiates file recovery to restore encrypted files:

How File Recovery Works:

  1. Backup Creation: SecuritySnares maintains backups of files before they are modified by any process. These backups are stored in C:\ProgramData\SecuritySnares\Backup

  2. Process Termination: When an untrusted process is detected encrypting files, SecuritySnares terminates the process and all child processes

  3. Automatic Recovery: SecuritySnares automatically recovers files that were encrypted by the terminated process from the backup folder

  4. Recovery Queue: The recovery process tracks which files were modified by which process, ensuring only affected files are restored

  5. Backup Retention: Backups are managed automatically, with write access to the backup folder restricted to prevent tampering

Important Notes:

  • File recovery only occurs in Protect mode
  • In Alert-Only mode, backups are not created to minimize performance impact
  • The backup folder is protected by the driver to prevent malicious modification or deletion

Windows Event Log Integration

By default, SecuritySnares writes alerts to the Windows Event Log. This allows for seamless integration with SIEM technologies and centralized monitoring solutions.

  • Event ID: 739
  • Location: System Event Log

If your organization is collecting Windows Event Logs, you are already configured for centralized alert monitoring!

Microsoft Sentinel Integration

To properly ingest SecuritySnares events in Microsoft Sentinel, configure your data collection with the following XPath query:

System*[System[(EventID=739)]]

This ensures that Event ID 739 is properly captured and ingested into your Sentinel workspace for analysis and alerting.

Agent Modes

SecuritySnares has 3 modes: Alert-Only, Protect and Disabled.

Alert-Only mode will only alert and take no action on the endpoint. New customers are generally onboarded in Alert-Only mode for the first 2-3 weeks to ensure that SecuritySnares will not prevent benign, legitimate business operations, such as backups or software updates.

Protect mode will kill suspicious processes that are attempting to encrypt files. Protect mode is the only way to stop ransomware. It is important to switch a customer to Protect mode as soon as any routine false positives have been detected and entered into the Allow List.

Disabled mode will unload the filesystem driver and service. This mode is ideal when there is a bug on the affected machine and SecuritySnares is preventing proper operation. In Disabled mode, logs can still be collected from the agent, the version is able to be rolled back to a previous version, and updates can occur. For these reasons, it is recommended to use Disabled mode instead of uninstalling.

Configuring a customer's environment for Alert-Only or Protect mode is as easy as navigating to the Agents page. From there, click the ellipsis (three dots) next to a host and click Enable Protect Mode. The next dialog box will ask if the change should be for the individual agent, or for all agents.

To have an agent enter the Disabled State, click the Agent Killswitch option within the ellipsis (you must have MFA configured first).

Agent Updates

To update agents, navigate to the Agents page. In the top right, click on Manage Agent Versions, then click Update on the next screen.

Should an agent version rollback be needed, the same steps are taken with the exception of selecting Rollback in the dialog box.

Setting up MFA

Please navigate to your user profile, then MFA. Ensure the selector is to the right to be turned on.

Create Organization (Adding Customers)

Starting on the Organizations page, click on the Add Organization button.

This will create an organization that is managed by the currently logged in user's organization. For instance, if a user logged in as analyst@AcmeMSSP.com, then Acme MSSP would be the organization responsible for managing the newly created organization's SecuritySnares alerts and deployment.

Fill in the Organization's name, and the information of the first point-of-contact for the client organization.

Interpreter Detection and Script Policy

Execution Scripts

Script Encryption Policy defines how scripting interpreters are handled by the SecuritySnares agent when a script attempts to encrypt data.

Script Policies (Customer‑managed)

Script Policies control if Scripting Interpreters are allowed to encrypt data within your organization.

  • Location: Settings & Policies → Script Encryption Policy
  • What you configure:
    • Execution Script: choose from the predefined scripts
    • When a scripting interpreter tries to encrypt a file: Allow, Deny, or Alert
    • Rule Type: Agent, Host Group, or Organization

Permissions:

  • Administrators: can add, edit, and delete Script Policies
  • Standard users: read‑only visibility of Script Policies

Rule Types:

  • Agent: applies the policy to a single host (select the specific agent)
  • Host Group: applies the policy to a defined group of hosts (host groups are created at https://portal.securitysnares.com/agents.)
  • Organization: applies the policy to all agents in the organization

Notes: Use Allow when the interpreter is trusted and required to encrypt data, Deny to block execution, and Alert to surface events without blocking while you evaluate impact.

Webhook Notifications

Webhook notifications allow you to receive real-time alerts from SecuritySnares to your own systems, enabling integration with SIEM platforms, custom applications, and automated security workflows.

Webhook Configuration

Webhooks are configured at the organization level. To configure webhooks:

  1. Navigate to Settings & Policies → Notifications
  2. Click Add Webhook to create a new webhook endpoint
  3. Configure the following:
    • Webhook URL: The HTTPS endpoint that will receive webhook notifications
    • Secret (optional): A shared secret for HMAC signature verification
    • Status: Enable or disable the webhook (toggle switch shows "Activated" or "Deactivated")

You can configure multiple webhooks per organization, and all active webhooks will receive notifications when alerts are detected.

Receiving Webhook Requests

When a SecuritySnares agent detects a suspicious process and generates an alert, the system automatically sends HTTP POST requests to all enabled webhook endpoints configured for your organization.

Request Format

  • Method: POST
  • Content-Type: application/json
  • SecuritySnares-Signature: HMAC-SHA256 signature of the request body (if secret is configured)

The SecuritySnares-Signature header contains a hexadecimal HMAC-SHA256 hash of the request body, computed using the secret you configured for the webhook.

Example Payload

{
  "hostname": "host.example.com",
  "process_name": "suspicious.exe",
  "process_file_path": "C:\\path\\to\\suspicious.exe",
  "process_md5": "d41d8cd98f00b204e9800998ecf8427e",
  "ip_address": "192.168.1.100",
  "mac_address": "00:11:22:33:44:55",
  "action_taken": "blocked",
  "alert_time": 1623456789
}

Payload Fields

  • hostname: The hostname of the endpoint where the alert was detected
  • process_name: Name of the suspicious process (e.g., suspicious.exe)
  • process_file_path: Full file path of the suspicious process
  • process_md5: MD5 hash of the process executable
  • ip_address: IP address of the endpoint
  • mac_address: MAC address of the endpoint's network interface
  • action_taken: Action taken by SecuritySnares (typically "blocked")
  • alert_time: Unix timestamp (seconds since epoch) when the alert was detected

Verifying Webhook Requests

To ensure webhook requests are authentic and have not been tampered with, always verify the HMAC signature when a secret is configured.

HMAC Signature Verification

The signature is computed as:

HMAC-SHA256(secret, request_body)

The resulting hash is included in the SecuritySnares-Signature header as a hexadecimal string.

Example Verification Code (Python)

import hmac
import hashlib
from flask import Flask, request

app = Flask(__name__)

WEBHOOK_SECRET = 'your_webhook_secret'  # Configure this to match your webhook secret

@app.route('/webhook', methods=['POST'])
def webhook():
    # Get the signature from headers
    provided_sig = request.headers.get('SecuritySnares-Signature', '')
    
    # Get the raw request body
    raw_body = request.get_data(cache=False, as_text=False)
    
    # Compute expected signature
    expected_sig = hmac.new(
        WEBHOOK_SECRET.encode('utf-8'),
        raw_body,
        hashlib.sha256
    ).hexdigest()
    
    # Verify signature using constant-time comparison
    if not hmac.compare_digest(provided_sig, expected_sig):
        return {'error': 'Invalid signature'}, 401
    
    # Parse and process the alert payload
    payload = request.get_json()
    print(f"Alert received for {payload['hostname']}: {payload['process_name']}")
    
    # Process the alert...
    
    return {'success': True}, 200

Example Verification Code (Node.js/Express)

const express = require('express');
const crypto = require('crypto');
const app = express();

const WEBHOOK_SECRET = 'your_webhook_secret';  // Configure this to match your webhook secret

app.use(express.raw({ type: 'application/json' }));

app.post('/webhook', (req, res) => {
  // Get the signature from headers
  const providedSig = req.headers['securitysnares-signature'] || '';
  
  // Compute expected signature
  const expectedSig = crypto
    .createHmac('sha256', WEBHOOK_SECRET)
    .update(req.body)
    .digest('hex');
  
  // Verify signature using constant-time comparison
  if (providedSig !== expectedSig) {
    return res.status(401).json({ error: 'Invalid signature' });
  }
  
  // Parse and process the alert payload
  const payload = JSON.parse(req.body.toString());
  console.log(`Alert received for ${payload.hostname}: ${payload.process_name}`);
  
  // Process the alert...
  
  res.json({ success: true });
});

Retry Logic and Delivery Status

SecuritySnares implements automatic retry logic for failed webhook deliveries:

  • Initial Delivery: When an alert is detected, the system immediately attempts to deliver the webhook
  • Retry Attempts: If delivery fails, the system will retry up to 3 times.
  • Final Status: After 3 failed retry attempts, the webhook is marked as failed

Response Codes

Your webhook endpoint should return:

  • 2xx status codes (200-299): Successfully received and processed
  • Non-2xx status codes: Delivery failure - will trigger retry logic

Monitoring Webhook Delivery

You can monitor webhook delivery status in the Audit Trail page:

  • Filter by Webhook Delivery action type
  • View delivery status:
    • Delivered: Successfully sent
    • Retry: Currently being retried
    • Failed: Failed after all retry attempts
  • Each entry shows the webhook URL, attempt number, and response code (for failures)

Common Failure Modes

Network Connectivity Issues

Solutions:

  • Verify the webhook URL is publicly accessible
  • Check firewall rules allow inbound connections from SecuritySnares servers
  • Verify the endpoint uses HTTPS

Signature Verification Failures

Solutions:

  • Verify the secret configured in SecuritySnares matches your verification code
  • Ensure you're computing the HMAC signature on the raw request body (not parsed JSON)
  • Use constant-time comparison functions (e.g., hmac.compare_digest() in Python) to prevent timing attacks
  • Check for encoding issues (secret should be UTF-8 encoded)

Rate Limiting

Solutions:

  • SecuritySnares respects rate limiting responses
  • If you implement rate limiting, ensure limits are appropriate for your alert volume
  • Consider using a webhook proxy or queueing service if you receive high volumes

SSL/TLS Certificate Issues

Solutions:

  • Ensure your endpoint uses a valid SSL/TLS certificate
  • Certificate should be from a trusted Certificate Authority (CA)
  • Self-signed certificates are not supported for security reasons

Service Protection & Uninstalling

To prevent the unwanted removal of the SecuritySnares agent, SecuritySnares has builtin Service Protection capabilities. This prevents end users and/or malicious actors disabling or removing the protection SecuritySnares provides.

Systems Administrators will want to configure their Uninstall Password by navigating to the Settings & Policies -> Uninstall Password page, then selecting Update uninstall password. The new uninstall password will be propagated through to agents in a secure fashion.

Troubleshooting

Common Installation Issues

Agent Not Appearing in Portal

If the agent doesn't appear in the web portal after installation:

  1. Verify Network Connectivity

    • Ensure the endpoint can reach *.securitysnares.com on port 443
    • Test connectivity: Test-NetConnection api-prod.securitysnares.com -Port 443
    • Check firewall rules and proxy settings

  2. Verify API Configuration

    • Check that the correct API URL and API Key were provided during installation
    • Review settings at: C:\ProgramData\SecuritySnares\settings.json (encrypted)
    • Use SecuritySnares.Agent.Service.exe --show-config to display current configuration

  3. Check Service Status

    • Open Windows Services and verify "SecuritySnares Agent" is running
    • If stopped, attempt to start the service manually
    • Check Event Viewer for service-related errors

  4. Review Installation Logs

    • Check C:\ProgramData\SecuritySnares\Logs\ransomsnare.install.bootstrapper.log
    • Review C:\ProgramData\SecuritySnares\Logs\ransomsnare.install.msi.log
    • Look for error messages indicating installation failures

.NET Runtime Issues

If you encounter .NET-related errors:

  1. Verify .NET Runtime 6 or later is installed
  2. Download and install .NET Runtime from Microsoft
  3. Use the self-contained .exe installer which includes .NET

Permission Errors

If you see permission-related errors during installation:

  1. Ensure the installer is run with administrator privileges
  2. Right-click the installer and select "Run as administrator"
  3. Verify the user account has local administrator rights

Driver Installation Failures

If the filesystem driver fails to install:

  1. Check that Secure Boot allows third-party drivers (if applicable)
  2. Verify no other security software is blocking driver installation
  3. Review Windows Event Viewer for driver-related errors
  4. Contact SecuritySnares support for driver signing verification

General Troubleshooting Commands

There are some basic commands that can be executed using SecuritySnares.Agent.Service.exe:

  • --version - just print version and exit
  • --api-key - configure api key, value must be in the next argument
  • --api-url - configure api url, value must be in the next argument
  • --alert-only - configure alert only mode, value must be in the next argument. Accepted values: on|true|1, or off|false|0
  • --self-hosted - put the agent into self-hosted mode (no communication to backend), value must be in the next argument. Accepted values: on|true|1, or off|false|0
  • --sys-events - write events to system event log, value must be in the next argument. Accepted values: on|true|1, or off|false|0
  • --config - store config values passed from command-line to settings.json
  • --install - installs and starts the service
  • --uninstall - stops and uninstalls the service
  • --show-config - display agent config in console

Should there be an issue with an endpoint, such as resource utilization or conflicts with other software, please collect the logs from the endpoint and send them to your SecuritySnares representative.

To do this, navigate to portal.securitysnares.com/agents, click the ellipse (three dots) next to the host, and click Collect Logs.

This issues a command to the agent, and within a few minutes, the command will be received by the agent. The agent will then collect the logs and post a zip file to the web application. A red dot will appear, indicating the logs are ready.

Click the ellipsis button again, and click Agent Logs. You may then download the latest logs.

To troubleshoot yourself, please refer to the Files and Folders Structure section of this document for information on the various logs.

Should the issue need escalation, please refer to the Support section of this document.

Configuration

Files and Folders Structure

Main app folder

By default, SecuritySnares is installed into C:\Program Files\SecuritySnares on Windows and /etc/securitysnares on Linux. Executable files in this folder:

  • SecuritySnares.Agent.exe - application engine, .Net console application, can be used for debugging purposes when service is down. Should be started with admin privileges or it will be unable to communicate with the driver. Coordinates work of all components, communicates with the API. You can just print version and exit using --version command-line argument.

  • SecuritySnares.Agent.Service.exe - windows service, .net application. Supported command-line arguments are:

    • --version - just print version and exit
    • --api-key - configure api key, value must be in the next argument
    • --api-url - configure api url, value must be in the next argument
    • --alert-only - configure alert only mode, value must be in the next argument. Accepted values: on|true|1, or off|false|0
    • --config - store config values passed from command-line to settings.json
      • ex. -config --self-hosted on
    • --install - installs and starts the service
    • --uninstall - stops and uninstalls the service

  • SecuritySnares.Agent.UI.exe - WPF application, runs in background in user session. It's added to autorun via registry key. Listens to notifications from the service, displays notifications

  • Ransomsnare.Updater.v2.exe - part of automatic updates system. When a self-update package is downloaded, this app is started under SYSTEM account, stops the service, replaces files and starts the service back

  • SecuritySnaresLib.dll - C++ library, responsible for communication between the driver and the agent. Makes process trust checks, verifies digital signatures. For better performance - answers first to the driver, so it doesn't delay IO. Sends notifications to the agent only when necessary - to fill recovery queue (untrusted file changes), or start recovery process (we already killed suspicious process and want to revert collected changes). Agent then communicates with web portal API and displays UI notifications according to app settings.

Data Folder

By default, SecuritySnares's data folder is C:\ProgramData\SecuritySnares on Windows or /usr/share/SecuritySnares on Linux Files and folders inside:

  • Backup - folder with backup files. On start, agent tells the driver the location of backup folder - obviously, without it, driver cannot make backups and it's not working. Write access is prohibited by the driver - cannot change or rename files there, but can create or delete.

  • CrashLogs - application crash logs. If the agent service is unexpectedly terminated, on the next start it detects this event, collects all necessary log files and puts it there. When possible, uploads to web console.

  • Logs - logs folder

  • Temp - folder for temporary files, e.g. self-update packages

  • agent.lock - lock file, created when the service starts, removed when it stops

  • settings.json - settings file

Logs Folder

By default, the SecuritySnares logs folder is C:\ProgramData\SecuritySnares\Logs on Windows or /usr/share/SecuritySnares/Logs on Linux Files inside:

  • ransomsnare.agent.log - Agent-related logs. Errors in the agent itself, information about startup or shutdown sequence.

  • ransomsnare.api.log - Detailed information about communication with the web portal. Requests/responses, errors.

  • securitysnares.corelib.log - Logs from lower level, coming from SecuritySnaresLib.dll. Verbosity can be changed in settings.

  • ransomsnare.install.bootstrapper.log - Logs from .exe installer - full install sequence, which dependencies it installs and why.

  • ransomsnare.install.msi.log - Verbose logs from agent .msi install. Which files are copied, install actions - installing drivers, services, etc.

  • ransomsnare.recovery.log - Logs from recovery queue. Which file changes are queued from which process, and in case if recovery starts - verbose log which files were recovered and which ones were deleted. Also, errors during recovery.

Log File Management:

  • Each log file has a maximum size of 10MB
  • Old log files are regularly removed automatically to prevent excessive disk usage

Settings.json

The unencrypted version of settings.json resembles the following:

{
  "server_url": "https://ransomsnare-api.securitysnares.com/",
  "updates_url": "https://ransomsnare.securitysnares.com/updates/",
  "poll_url": "/poll",
  "alerts_url": "/alerts",
  "api_key": "111111111111111",
  "instance_id": "22222222222222",
  "last_installed_version": null,
  "polling_interval": 60,
  "lib_log_level": 0,
  "alert_only": false,
  "suspend_only": false,
  "notification_type": "dialog",
  "show_system_tray": false,
  "notification_message": null,
  "report_system_event_log": true,
  "self_hosted": false
}

Fields in the settings file:

  • server_url - root url of the web portal server. Used to poll commands, obtain whitelist, report alerts, etc. Populated via API_URL field during agent installation.
  • updates_url - root url of the updates server. Can be used to override default updates url
  • poll_url - not used at the moment. Absolute or relative (to server_url) url to poll commands from.
  • alerts_url - not used at the moment. Absolute or relative (to server_url) url to report alerts to.
  • api_key - api key for the customer's tenancy within the web portal. Populated via API_KEY field during agent installation.
  • instance_id - auto generated unique host id. This is to identify agent on the web portal
  • last_installed_version - filled by the app, used for self-update mechanism
  • polling_interval - interval, in seconds, between requesting commands from the web portal.
  • lib_log_level - verbosity level of the core library (between the driver and the agent). 0=DEBUG,1=INFO,2=WARN,3=ERR. Larger number = less verbosity
  • alert_only - alert only flag (true|false). Can be set using ALERT_ONLY field during agent installation.
  • suspend_only - suspend only flag (true|false). If set to true - agent will suspend processes instead of killing
  • notification_type (dialog|systray|msgcenter|none) - not fully supported at the moment, and not on all OS types. Type of notifications - popup dialog, system tray, message center, or no notifications.
  • show_system_tray (true|false) - if set to true, displays an icon in the system tray.
  • notification_message - custom text for notification message
  • report_system_event_log (true|false) - if set to true, writes alerts to system event log
  • self_hosted (true|false) - if set to true, turns agent to self-hosted mode, when it doesn't communicate to the web portal and doesn't check for updates.

Settings

For Windows, settings.json is usually located at C:\ProgramData\SecuritySnares\

As settings.json is encrypted, if you require to make any configuration changes, open cmd.exe as an Administrator. The following are examples of configuration changes that can be made:

C:\Program Files\SecuritySnares>SecuritySnares.Agent.Service.exe -config --alert-only on

C:\Program Files\SecuritySnares>SecuritySnares.Agent.Service.exe -config --alert-only off

C:\Program Files\SecuritySnares>SecuritySnares.Agent.Service.exe -config --api-url https://api-staging.securitysnares.com/

If you receive the following error, it is because you are not running cmd.exe as administrator:

C:\Program Files\SecuritySnares>SecuritySnares.Agent.exe -config --alert-only off
Unhandled exception. System.ArgumentNullException: Path cannot be null. (Parameter 'path')
   at System.IO.Strategies.FileStreamHelpers.ValidateArguments(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, Int64 preallocationSize)
   at System.IO.FileStream..ctor(String path, FileMode mode)
   at SecuritySnares.Agent.Util.FileEncryptUtil.WriteAllText(String fileName, String text) in C:\Work\Outside\EcorRuge\securitysnares-agent\src\agent\SecuritySnares.Agent\Util\FileEncryptUtil.cs:line 113
   at SecuritySnares.Agent.Settings.SettingsFile.Save() in C:\Work\Outside\EcorRuge\securitysnares-agent\src\agent\SecuritySnares.Agent\Settings\SettingsFile.cs:line 160
   at Program.<Main>$(String[] args) in C:\Work\Outside\EcorRuge\securitysnares-agent\src\agent\SecuritySnares.Agent\Program.cs:line 190
   at Program.<Main>(String[] args)

Support

SecuritySnares is available for contact:

By phone

  • US: +1 888-326-5761
  • Europe: +44 808-812-7289
  • Asia Pacific: +61 1800 920 730

By email

By Slack

  • Ask your SecuritySnares representative for an invite!