Skip to main content
SolarWinds MSP
  • Login
  • Support
  • Partnerships
    • Partnerships Overview
    • Solution Provider Program
    • Technology Alliance Program
    • Distributor Program
SolarWinds MSP
  • Products
    • SolarWinds N-central Automate what you need. Tackle complex networks. Try this remote monitoring and management solution built to help maximize efficiency and scale.
    • SolarWinds RMM Start fast. Grow at your own pace. Try this powerful but simple remote monitoring and management solution.
    • SolarWinds EDR Defend against ransomware, zero-day attacks, and evolving online threats with Endpoint Detection and Response
    • SolarWinds Backup Manage data protection for servers, workstations applications, documents and Microsoft 365 from one SaaS dashboard.
    • Mail Protection & Archiving Protect users from email threats and downtime.
    • Password Management Easily adopt and demonstrate best practice password and documentation management workflows.
      • Passportal Demo
    • PSA & Ticketing Manage ticketing, reporting, and billing to increase helpdesk efficiency.
    • Remote Support Help support customers and their devices with remote support tools designed to be fast and powerful.
  • Solutions

    I'm looking for...

    • Security Solutions
    • Monitoring Solutions
    • Efficiency Solutions
  • Resources
    • Blog
    • Webcasts & Events
    • Ask the N-central Experts
    • Daily Live Demos
    • RMM Foundations Training
    • Upcoming Events
    • Upcoming Webcasts
    • Resource Center
    • COVID-19 Resources
    • Resource Library
      • Case Studies
      • Product Information
      • eBooks
      • White Papers
      • Infographics
    • SolarWinds MSP Free Tools
    • GDPR Resource Center
    • Security Resource Center
    • MSP Institute Webinar Series
    • MSP Advice Project
  • About
    • Contact
    • Customer Success
    • Worldwide sales and support
    • Careers
    • Awards and Recognition
    • Get A Quote
    • Newsroom
      • Press Releases
      • In The News
      • Media Contacts
      • COVID-19 Response
    • Leadership Team
    • Legal
      • Cookie Policy
      • Privacy Notice
      • Software Services Agreement
      • Terms of Use
      • Backup Fair Use Policy
    • Security
      • SolarWinds Security Statement
      • Vendor Data Protection Requirements
    • Support
  • IT Departments
  • Contact Sales
    • Get A Quote
    • General Inquiry
  • TRY NOW
    • SolarWinds RMM
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Passportal
    • SolarWinds N-central
    • SolarWinds Mail Assure
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
  • Request a Quote
  • Try Now
    • SolarWinds RMM
    • SolarWinds N-central
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Mail Assure
    • SolarWinds Passportal
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
Request quote
Filter Blogs
  • Filter by:
  • MSP Business
    • Automation
    • Backup & Disaster Recovery
    • Security-series
    • Best Practices
    • Business
    • Business Growth
    • Business Risk
    • Cloud Computing
    • Customer Service
    • Cybersecurity
    • Cybersecurity Awareness Month
    • Data
    • GDPR
    • Internet of Things
    • IT Support
    • ITSM
    • LOGICcards
    • Machine Learning
    • Mail
    • Managed Services
    • Marketing
    • Mobile
    • Networking
    • Operations
    • Podcast
    • Product
    • PSA
    • Remote Management
    • Research & Trends
    • Risk Intelligence
    • Security
    • Security Vlog
    • Service Desk
    • Services & Support
    • The Head Nerds
    • Tips & Advice
    • Training
Home Blog MSP Business Security SolarWinds EDR rollback—the time machine is real
Security

SolarWinds EDR rollback—the time machine is real

By Michael Tschirret
27 July, 2020

In a previous blog post, I talked about the differences between Managed Antivirus (MAV) and Endpoint Detection and Response (EDR). EDR is a more comprehensive solution and is especially well suited for businesses with Personally Identifiable Information (PII) or other sensitive data at risk. However, the rollback feature is what really sets EDR apart from MAV. It’s an incredible technology that can protect your customers and your own business. Let’s take a closer look at this game-changing aspect of SolarWinds® EDR, powered by SentinelOne. 

The Path to Rollback

SolarWinds EDR offers five different options when it flags a threat. Three can be classified as preventative, meaning they put a stop to damage caused by the threat. The other two options can be classified as response, meaning you can bring an endpoint back to its state prior to attack.

Preventative

  • Kill: This option stops the attack immediately—think of it as the big red button that gets pushed to stop the evil villain’s lair from self-destructing. Malicious activity is caught and terminated, whether it is acting in a one or more locations.
  • Quarantine: The quarantine option takes any executables that are a threat and moves them to a walled-off path. These files can be looked at for additional analysis in a sandboxed environment. 
  • Disconnect from Network: This option allows you to disconnect an endpoint from the network. For network admins, this is particularly helpful because it limits outbound network access to the management console, thus preventing any spread of malware on the networks an endpoint is connected to. You can then investigate what happened using the deep set of forensic tools available in the platform.   

Response

  • Remediate: This is the penultimate option. It removes the damage caused by the threat, but shouldn’t be considered a full rollback, which, as we see below, “rewinds” to a specific point in time.
  • Rollback: During a rollback, the affected device is restored to a saved Volume Shadow Copy Service (VSS) snapshot, which reverses any damage. It’s an especially helpful feature in a ransomware attack. In such an event, rolling back the infected files removes the encryption, negating the need to even consider paying the ransom. 

You can see how these five options are presented in Figure 1 below:

 

Figure 1 - EDR Mitigation Chain (Source: SentinelOne)

 

If you choose to implement any of the above as a first action (i.e., you quarantine a threat), EDR will also implement any available actions prior to that—in this case, it will apply “kill” as well.

Better than a DeLorean

CTA Image

SolarWinds N-central

Try the powerful N-central solution for free.

Try It Free Learn More

The key technology behind Rollback is VSS. This is a feature from Microsoft Windows Operating Systems. VSS is capable of maintaining multiple copies of volumes or computer files, even while they’re in use. 

How does this work? It’s roughly akin to taking a digital photo, which has a time and date stamp—VSS is no different. It creates a digital image of the entire system at a specific interval and time, and stores it so it can be used to overwrite a corrupted endpoint. VSS gives the end user a mirror image of their system pre-attack. It’s a powerful technology put to even more powerful use in rollback.

Sounds great, you think, and maybe resource intensive. Good news—it’s not. VSS is highly efficient. When it moves files to the temporary location, it does so in an incremental fashion. It only moves files that have changed since the last snapshot. 

For those who are wondering, VSS was introduced in Microsoft Windows XP/Server 2003, and has been available in every version of Windows since. Rollback is included in agents for Windows Vista/Windows Server 2008 R2 and onward. At this time, it’s not supported on Mac OS and Linux.

Why rollback?

Simple—one click can infect your entire network. Our Ransomware Rescue infographic goes into great detail about this scourge and how to help prevent it, but consider the following statistics found in the document:

  • 16.2 days is the average amount of downtime businesses experienced at the end of 2019 due to ransomware attacks
  • 1 business every 11 seconds is the predicted frequency businesses will fall victim to a ransomware attack by 2021
  • $20 billion is the predicted cost of damages due to ransomware in 2021

Rollback: cost benefit analysis

At this point, you’re probably thinking, “I’m sold. What does this feature cost?” While EDR does cost a bit more than traditional MAV, it’s important to consider what you gain in functionality as opposed to incremental cost. 

We’ve said it before, and it bears repeating: there’s a place in organizations for both MAV and EDR, depending on use cases. But if you fall into the latter camp for the reasons delineated at the beginning of this article, consider what costs more: a bit more per seat for EDR or four to six hours to reimage an infected endpoint. The cost goes up by orders of magnitude if you support a large organization. And don’t forget—downtime is the most critical cost of all. When employees aren’t working, productivity and profits follow a parallel path. EDR can negate all of this.

Rollback in action

A ransomware attack is simple in its intent, but extraordinarily complex in its execution. To that end, we’ve created a demo video that simulates a ransomware attack and shows you how the rollback feature works. It’s a great look at how an attack unfolds and how Rollback wins the day, undoing the damage. 

Some things are too good to be true. The rollback feature isn’t one of them. Being able to provide your customers incredible peace of mind and bolster their security—especially when predatory attacks on businesses are on the rise—is huge. Learn more about SolarWinds EDR here, or contact your account representative. You’ll be glad you did.

 

Michael Tschirret, Sr. Product Marketing Manager, EDR

 

Additional reading

A Short History of EDR
EDR vs. Managed Antivirus: What You Need to Know
EDR vs. Managed Antivirus—Which Solution is for You?
You might also like...
Security

January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be

Security

December 2020 Patch Tuesday—A quiet(er) finish to a busy year in vulnerabilities

Security

Documentation Management API and Why It’s Important for the MSP Business

Security

What Is FIPS-140-2 Standard and When Is It Required?

Security

Malware-as-a-Service: A Crucial Reason Why Security Has Grown More Complex

Security

National Computer Security Day—It’s Not Just About the Computer Anymore

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Recent Posts
  • January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be
  • TAP Blog Series: Maximizing Your Service Delivery Opportunity
  • Why Do MSPs Choose SolarWinds Backup? IT Central Station Finds Out
  • Seven Features Remote Assistance Software Should Have
  • TAP Blog Series: Creating Your Automation Strategy—Three Key Components You Must Have in Place
Categories:
  • Security (229)
  • Tips & Advice (122)
  • Best Practices (94)
  • Managed Services (86)
  • Backup & Disaster Recovery (82)
  • Business Growth (75)
  • The Head Nerds (74)
  • IT Support (41)
  • Business (39)
  • Cybersecurity (37)
  • Automation (36)
  • Operations (33)
  • Mail (33)
  • Remote Management (27)
  • ITSM (25)
  • Data (21)
  • Cloud Computing (21)
  • Networking (21)
  • Marketing (14)
  • Product (11)
  • PSA (10)
  • Service Desk (4)
  • Services & Support (4)
  • Mobile (4)
  • Risk Intelligence (4)
  • Customer Service (3)
  • Internet of Things (3)
  • GDPR (2)
  • Research & Trends (2)
  • Training (2)
  • LOGICcards (1)
  • Business Risk (1)
Show moreless
SolarWinds MSP

Products
  • SolarWinds RMM
  • SolarWinds N-central
  • SolarWinds Backup
  • SolarWinds EDR
  • SolarWinds MSP Manager
  • SolarWinds Mail Assure
  • SolarWinds Risk Intelligence
  • SolarWinds Take Control
  • SolarWinds Passportal
  • All Products Use Cases
Solutions
  • Security Solutions
  • Monitoring Solutions
  • Efficiency Solutions
  • Identify which RMM solution is right for me
  • Drive Efficiency with Automation
  • Manage my MSP Business More Efficiently
  • Manage my IT Department More Efficiently
  • Layered Security
  • Cross-Platform Support
  • Data-Driven Insights
About
  • About Us
  • Careers
  • Newsroom
  • Leadership Team
  • Upcoming Events
  • Subscription Preferences
  • SolarWinds
  • SolarWinds Trust Center
  • COVID-19 Response
Support
  • SolarWinds RMM
  • Solarwinds N-central
  • SolarWinds Backup
  • SolarWinds Mail Assure
  • SolarWinds Take Control
  • SolarWinds MSP Manager
  • Solarwinds Risk Intelligence
  • Solarwinds Threat Monitor
  • SolarWinds Passportal
  • SolarWinds Take Control Downloads
  • Backup & Recovery Downloads
  • Service Status

Footer 2

  • Legal Documents
  • Privacy
  • California Privacy Rights
  • Security Information
  • Sitemap

© SolarWinds MSP Canada ULC and SolarWinds MSP UK Ltd.
All Rights Reserved.