Why didn't Huntress detect/block a malicious file/activity/ransomware?
Huntress is not a preventive security solution. Huntress was created to find malware that has slipped past preventive products and established a foothold on the host. There are three main components to Huntress: Persistent Foothold Detection, Ransomware Canaries, and External Recon.
Huntress detects malware by looking for the footholds malware adds to start itself when the system boots or a user logs in. Huntress analyzes persistence mechanisms such as services, scheduled tasks, registry run keys, and other auto-start locations provided by Windows that can be used by malware to establish a foothold. Huntress focuses on finding these malicious footholds, leaving complete system scans, behavioral analysis/process monitoring, and network monitoring to preventive security solutions. This strategy intends to find persistent malware that has slipped past these other solutions.
Since Huntress only looks for footholds, it does not scan every file on the system, monitor running processes, or monitor network traffic.
Huntress can detect early signs of Ransomware through its Ransomware Canaries feature.
Ransomware typically does its malicious activity and deletes itself, often without creating a foothold. Sometimes ransomware will encrypt a desktop.ini file within a user’s startup folder or place a ransom notice that opens when the user logs in. Huntress will flag these "footholds." However, many newer ransomware variants only encrypt data files (PDF, Word, XLS, etc.) and don't drop a ransom notice in a startup location--this type of ransomware infection would not be seen by Huntress at all.
It's important to understand that Huntress is not a prevention tool--it is a detection and response tool. Humans on our end review all of the data from your machine and create incident reports based on Investigations. This ensures you're receiving actionable intelligence with remediation instructions.