Cryptoguard sits in the background and, when it identifies a process that has the possibility of being ransomware, watches when a business file is opened for write, and a temporary copy is made on the local drive. This copy is made using our own technology so that it is not affected by techniques such as deleting shadow copies that any ransomware variants use. Later, if the original is maliciously encrypted (and CryptoGuard can determine this via entropy checks etc), the copy of the original file is restored. The copies are purged when it is determined that the originals have not been encrypted by ransomware - thus the cache of these temporarily copied files does not continue to grow and grow.
Cryptoguard sits in the background and, when it identifies a process that has the possibility of being ransomware, watches when a business file is opened for write, and a temporary copy is made on the local drive. This copy is made using our own technology so that it is not affected by techniques such as deleting shadow copies that any ransomware variants use. Later, if the original is maliciously encrypted (and CryptoGuard can determine this via entropy checks etc), the copy of the original file is restored. The copies are purged when it is determined that the originals have not been encrypted by ransomware - thus the cache of these temporarily copied files does not continue to grow and grow.
How large is the cache able to grow to? For example, if a multi-gig .ISO/.ZIP/etc file were to be encrypted (by malicious means or otherwise), is there a scenario where the cache may become overwhelmed such that it cannot keep up with additional files that become encrypted as part of a ransomware attack before it is able to terminate the malicious process?
