Configuring Shadow Copies

Shadow Copies is a technology included in Microsoft Windows that enables you to transparently create backup copies of the files stored on a user computer.

From the Advanced EDR console, you can centrally and remotely interact with the Shadow Copies service on the computers on the network, using it as a remediation tool against ransomware attacks.

Characteristics of Shadow Copies in Advanced EDR

Advanced EDR complements the Shadow Copies service included in Microsoft Windows with additional features to protect user data from threats:

  • Configure and manage a backup (snapshot) repository separately from other repositories the user might have created.

  • Protect the service and the snapshots from changes made by threats or the user. This prevents the service from being stopped or the backup copies made by Advanced EDR from being deleted.

  • Specify the percentage of hard disk space you want to use for backup copies (this is 10% by default).

  • Make a backup copy of the files every 24 hours. The first copy is made when you enable the feature (it is disabled by default).

  • Save up to seven copies of each file, depending on the free space allocated to the repository. If there is not enough space, older backup copies are deleted.

Requirements

  • Operating system:

    • Windows Vista and higher.

    • Windows 2003 Server and higher.

  • Enough free disk space to make backup copies.

  • Storage media identified by the operating system as fixed (internal and USB-connected hard disks) and NTFS disks.

Accessing the Shadow Copies feature

  • Select the Settings menu at the top of the console. Select Per-computer settings from the side menu. A list appears with all created settings profiles.

  • Click an existing profile or create a new one.

  • In the Shadow Copies section, click the toggle to enable the feature. Specify the percentage of disk space you want to use for backup copies on user computers.

Although Advanced EDR uses snapshots that are independent of the ones created by the user or the network administrator, all of them share the same settings. Additionally, the maximum disk space set in the management console has priority over other settings established by the network administrator.

Using filters to find computers with Shadow Copies enabled

  • Select the Computers menu at the top of the console.

  • From the side panel, click the icon. The filter tree appears.

  • Select a folder. Click the icon. A context menu appears.

  • Select Add filter. The Add filter window opens.

  • Configure the filter with these values:

    • Category: Computer

    • Property: Shadow Copies

    • Operator: Is equal to

    • Value: Enabled

For more information, see Configuring filters