Get Support
Forums
Knowledge Base
Data Recovery
Security Notices
Downloads
Warranty Information
Find and download the latest product firmware, utility or driver.
Partner Program
Red Rewards
Deal Registration
Case Studies & White Papers
Webinars
Helpful Tips & Articles
About Buffalo
Buffalo Compliance Information
Trademarks
Legal
Press Releases
Search by either entering keywords/KB_ID or by selecting a category.
OR
KB ID: 5923
Product: TS6000 Series | TS5020 Series | TS71210 Series | TS3030 Series
Last Updated: 08/01/2025
Applies to TeraStation 5020 / 3030 series firmware v2.10 or later TeraStation 71210 firmware v1.42 or later TeraStation 6000 firmware v6.20 or later
This feature monitors shared folders at set intervals for abnormal file activity that could signal a potential ransomware or malware threat as indicated by: • Changes beyond a pre-configured threshold to the total number of files in the folder (Not available on TS3030 series) • Changes beyond a pre-configured threshold to the total size of all files in the folder (Not available on TS3030 series) • Changes to the extension of any file in the folder, such as ransomware-specific extension
This feature creates snapshots of shared folders at set intervals and compares them to monitor whether changes in the folder exceeded the threshold. If an abnormal file activity is detected, I78-1 alert will be triggered. It is also suggested to configure Email notification to receive the abnormal file activity alert email for immediate reaction.
For more information about the abnormal file activity monitoring feature, please refer to the User Manual.
Establish a file activity baseline If this is your first time configuring abnormal file activity monitoring, we recommend simply enabling abnormal file activity monitoring and then use the TeraStation as normal for a few days. This will establish a file activity baseline that you can use to arrive at a more precise file count or file size threshold value.
• From WEBUI, click Management. Move the Abnormal File Activity Monitoring switch to the right to enable it. This will start the abnormal file activity monitoring but without any alert triggering. Note: Enabling the abnormal file activity monitoring will also start taking snapshots on the NAS Shares base on the monitoring interval. Only the most recent snapshot is retained, with older ones automatically deleted.
Monitoring Abnormal File Activity by File Count Note: Not available on TS3030 series • Click the settings icon to the right of “Abnormal File Activity Monitoring”.
• You can see the number of files changed during this period on the “File Count” tab. To enable Monitoring Abnormal File Activity by File Count. Enable “Monitor by File Count”. Enter a value for the total number of files into “Alert Threshold”. File Count change include: - Number of Deleted files - Number of Changed files - Number of Renamed files - Number of Created files
• If you have enabled the abnormal file activity monitoring ahead and have established a file activity baseline, you should have a more precise file count threshold value for reference.
• If the entered total file number changes due to potential malware or user action, the I78 alert will be triggered. Also the previous snapshot will be locked for protection and preserved.
Monitoring Abnormal File Activity by File Size Note: Not available on TS3030 series • Click the settings icon to the right of “Abnormal File Activity Monitoring”.
• You can see the total file sizes changed during this period on the “File Size” tab. To enable Monitoring Abnormal File Activity by File Size. Enable “Monitor by File Size”. Enter a value for the total file size into “Alert Threshold”. File Size change include: - Number of MBs changed (created, changed or deleted)
• If you have enabled the abnormal file activity monitoring ahead and have established a file activity baseline, you should have a more precise file size threshold value for reference.
• If the entered total file size changes due to potential malware or user action, the I78 alert will be triggered. Also the previous snapshot will be locked for protection and preserved.
Monitoring Abnormal File Activity by File Extension Monitor if the file extension has been changed to such as a ransomware-specific extension.
• Click the settings icon to the right of “Abnormal File Activity Monitoring”.
• Click the File Extension tab, then enable “Periodic Monitoring” or “Realtime Monitoring (SMB)” or both. o Periodic Monitoring : Enable monitoring of extensions by snapshot difference which taken based on the monitoring interval.
o Realtime Monitoring (SMB protocol only): File extension activities via SMB connections will be monitored in real-time.
The default monitoring extensions contains a list of known ransomware-specific extensions. You may edit the list as desired. To add a new file extension to be monitored, click Add and scroll down to the bottom, then enter a period (.) followed by the file extension. Spaces must not be included.
• If file extension to be monitored was detected, the I78 notification will be triggered.
• If file extension to be monitored was detected via real-time monitoring, a locked snapshot will also be created immediately to preserve remain data.
Changing Monitoring Intervals Shorter monitoring intervals (Snapshot interval) allow for potentially faster detection of abnormal file activity. However, more false positives may also occur. The default Monitoring Interval is 4 hours. Note: Only the most recent snapshot is retained, with older ones automatically deleted.
• Click General Settings at the bottom left corner of the Abnormal file Activity Monitoring Settings window. • Change the monitoring interval to the desired interval, then click OK.
This site uses cookies in order to improve your user experience and to provide content tailored specifically to your interest. By continuing to browse our site, you agree to our use of cookies. You can view our Privacy Notice here.
