Configuring shadow copies

Shadow copies is a technology included in Windows computers that can create a snapshot of computer files, even when they are in use.

From Advanced EDR, you can remotely interact with the Windows Shadow Copies service on the computers on the network, using it as a remediation tool against ransomware attacks.

Characteristics of shadow copies in Advanced EDR

Advanced EDR complements the Shadow Copies service included in Microsoft Windows with additional features to protect user data from threats:

  • Enables you to configure and manage a backup (snapshot) repository separately from other repositories the user might have created.

  • Protects the service and the snapshots from changes made by threats or the user. This prevents the service from being stopped or the backup copies made by Advanced EDR from being deleted.

  • Enables you to specify the percentage of hard disk space to use for backup copies (this is 10% by default).

  • Makes a backup copy of the files every 24 hours. The first copy is made when you enable the feature (it is disabled by default).

  • Retains up to 7 copies of each file at a given time, depending on the free space allocated to the repository. If there is not enough space, older backup copies are deleted.

Requirements

  • Operating system:

    • Windows Vista, Windows 7, or higher.

    • Windows 2003 Server 2012 or higher.

  • Enough free disk space to make backup copies.

  • Storage media identified by the operating system as fixed (internal and USB-connected hard disks) and NTFS disks.

Accessing the shadow copies feature

  • From the top menu, select Settings. From the side menu, select Per-computer settings. A list opens and shows all created settings profiles.

  • Select an existing settings profile or create a new one.

  • In the Shadow Copies section, click the toggle to enable the feature. Specify the percentage of disk space you want to use for backup copies on user computers.

Although Advanced EDR uses snapshots that are independent of the ones created by the user or the network administrator, all of them share the same settings. Additionally, the maximum space value you set for shadow copies in the management console has priority over other space settings established by the network administrator.

Using filters to find computers with shadow copies enabled

  • From the top menu, select Computers.

  • In the side panel, click the icon. The filter tree appears.

  • Select a folder. Click the icon. A context menu appears.

  • Select Add filter. The Add filter dialog box opens.

  • Configure the filter with these values:

    • Category: Computer

    • Property: Shadow Copies

    • Operator: Is equal to

    • Value: Enabled

For more information, see Configuring filters.