Skip to main content

Rewind Recovery

Rewind Recovery reverses file system changes made by ransomware and other destructive malware. When Defend detects a ransomware attack, it calculates the optimal recovery point, identifies affected directories, and triggers an automated rollback through the Backups integration.

How Rewind Works

  1. Detection — Defend's ransomware detector identifies mass file operations (bulk renames to encrypted extensions, shadow copy deletion, or encryption patterns)
  2. Analysis — The system queries ADX for the first anomalous file event and calculates a rewind target 5 minutes before that event
  3. Scope identification — Top 20 affected directories are identified via KQL analysis of file modification patterns
  4. Backup validation — Defend checks with the Backups API that a restore point exists at or before the target timestamp
  5. Device isolation — The affected device is isolated to prevent further encryption
  6. Rewind execution — Backups restores files in the affected directories to the pre-attack state
  7. Verification — Defend monitors the restored files and scans for re-infection
  8. Network restore — Once verified clean, network access is restored

Recovery Status Flow

analyzing → awaiting_approval → isolating → rewinding → verifying → restoring_network → completed

If any step fails, the operation moves to failed status with details on what went wrong.

Running a Rewind

When auto-response is configured for critical ransomware detections, the rewind process triggers automatically. The system isolates the device, calculates the rewind point, and begins recovery without manual intervention.

Manual

  1. Open the ransomware detection in the investigation workspace
  2. Click Initiate Rewind
  3. Review the proposed rewind target timestamp and affected directories
  4. Approve the rewind (dual-control approval may be required)
  5. Monitor progress in Recovery → Operations

What Can Be Recovered

  • Files modified or deleted by the malware process after the rewind target timestamp
  • Files in directories covered by the Backups agent
  • Files that existed in a backup snapshot at or before the rewind point

Limitations

LimitationDetails
Backup requiredRewind depends on the Backups product — devices without Backups cannot use rewind
Snapshot availabilityRecovery point must exist at or before the target timestamp
Non-backed-up pathsDirectories excluded from Backups cannot be recovered
Encryption timingIf encryption ran for hours before detection, data loss between last backup and attack start is possible
VSS dependencyOn Windows, some recovery paths use Volume Shadow Copy — VSS must be enabled

Dry-Run Testing

Test your rewind readiness without performing an actual restore:

  1. Navigate to Recovery → Test
  2. Select a device
  3. Click Run Dry Test
  4. Defend validates Backups API connectivity, checks snapshot availability, and confirms the recovery pipeline is operational
ℹ️Run dry-run tests periodically to ensure your recovery pipeline is healthy. A rewind that fails during an active ransomware incident wastes critical response time.

Post-Rewind Steps

After a successful rewind:

  1. Re-scan — Defend automatically scans recovered files for residual malware
  2. Monitor — The device remains under elevated monitoring for 24 hours
  3. Investigate — Review the detection to identify the initial access vector and patch the vulnerability
  4. Report — A recovery report is generated with files recovered, estimated data loss, and recovery time

Recovery Metrics

Each rewind operation records:

  • Files recovered — Count of files restored to pre-attack state
  • Estimated data loss — Bytes of data between last backup and attack start
  • Recovery time — Seconds from rewind initiation to completion
  • Scope — Directories included in the recovery

These metrics are available in the recovery report and included in compliance reports.

Next Steps