DATA SECURITY - Issue Ransomware Detection

DATA SECURITY - Issue Ransomware Detection


I configure a test serveur with the Data Security (Version : 6.0.4 / Build : 6043)
I create this alert (Ransomeware)

I create a PS script to :
* Disabled user access on share folder (it's faster than disabled user on AD)
* and of course disabled user on AD
This script works. It is not optimized because I'm not an expert, but it works
  1. $_SRV = $args[0]
    $_USR = $args[1]

    $_DRIVE = "R:"

    $_DATE_FULL = Get-Date -Format "yyyyMMdd HH:mm"
    $_DATE = Get-Date -Format "yyyyMMdd"

    New-SmbMapping -LocalPath "$_DRIVE" -RemotePath "\\\SHARE\CRYPTO"
    $_LOG = "$_DRIVE\CRYPTO-$_DATE-$_SRV.txt"

    ADD-content -Path $_LOG -value "--- $_DATE_FULL ---"
    ADD-content -Path $_LOG -value "SERVEUR : $_SRV"
    ADD-content -Path $_LOG -value "UTILISATEUR : $_USR"

    Disable-ADAccount -Identity $_USR

    ADD-content -Path $_LOG -value "L'utilisateur : $_USR a ete desactive a $_DATE_FULL"

    $MesPartages = Get-WmiObject Win32_Share -computer $_SRV

    foreach ($UnPartage in $MesPartages){
       Block-SmbShareAccess -Name $UnPartage.Name -Cimsession $_SRV -AccountName $_USR
       # $UnPartage | gm
       ADD-content -Path $_LOG -value "L'utilisateur a ete bloquĂ© sur le partage : $UnPartage"

    Remove-SmbMapping -LocalPath "$_DRIVE" -force

I have a soft (Bulk Rename Utility.exe) to test mass renaming extension (ex : .docx to .zepto or .777)
I teste to rename 300 files in same time.
I constate that my script is just executing if i run 2x times my soft while DS (datasecurity) detected the alerte on both executions

I don't understandwhy it is not executed immediatly when Datasecurity detect the first "ransomware" extension.