Overview

The Third Wall Ransomware Monitor, in most environments will work with a OneDrive implementation but the 'On Demand' setting may cause false positives to be thrown when the sync process is called.  The following instructions will show how to configure the monitor to work in these environments.  This document assumes your are running Third Wall version 2.5.2.5 or better.

Preparation

Begin by assigning a 'Static Path' to the monitor.  This is a global setting which will impact all instances of the Ransomware Monitor.  Setting a Static Path will cause the monitor to add four additional bait files to the path of your choosing.  Also, the folder path assigned to 'Static Path' will be automatically created if it doesn't exist.  These bait files will be active, regardless of whether or not a user is signed in and is a recommended modification for all environments.  This setting is applied to the Ransomware Monitor Settings section of the Integrations Page (Dashboard -> Config -> Integrations -> Third Wall)

Once set, the assigned 'Static Path' will be applied to all applicable remotes on the next 'Update Config' execution.

Issue Resolution

With a 'Static Path' now set, you are ready to remediate those environments where OneDrive is causing false positives to the Ransomware Monitor.  Open the Location Screen for that environment and navigate to the Ransomware Monitor policy on the Third Wall tab.  You'll find an option 'Static Path Only':

With this option selected, the Ransomware Monitor will no longer attempt to write or monitor files on the users' \Documents path but will only use the bait files assigned to the Static Path.