V11 Service Pack 10
Loading...

Ransomware Protection

Protecting your data from Ransomware attacks is critically important. Commvault proactively monitors the client computer for any unexpected activity and alert the user with the type of activity.

In addition, you can secure the mount path from being accessed by external processes thereby protecting the backed up data. Commvault provides different methods to protect your data.

Method 1: Securing Mount Paths

Protect all of your mount paths from Ransomware so that the backup data (in storage) is not affected by malicious Ransomware.

See Enabling Ransomware Protection on MediaAgents for more information. If you upgraded from the previous version, verify that both the client and CommServe computers are upgraded to the current version.

Method 2: Monitoring the Honeypot File

Commvault software automatically detects the presence of Ransomware on your client computers using the honeypot file method. The Ransomware check happens once in 4 hours.

Note: If you upgraded from the previous version, verify that both the client and CommServe computers are upgraded to the current version.

Commvault software notifies the CommCell Console administrator immediately by sending an Alert and displaying an Event Message as follows:

  • The File Activity Anomaly Alert is configured by default to send out an alert notification to all the users included in the Master CommCell User Group.

    See Alerts and Notifications - Predefined Alerts for more information.

  • The following event message is displayed if the Commvault software detects the presence of Ransomware on your computer:

    Detected a possible Ransomware attack. Please verify the data on the machine.

  • To control the frequency at which Ransomware check happens on your client, create the nTimer_CheckForRansomware additional setting on the client computer as shown in the following table:

    For instructions on adding the additional settings from the CommCell Console, see Add or Modify an Additional Setting.

    Property Value
    Name nTimer_CheckForRansomware
    Category QMachineMaint
    Type Integer
    Value 0 to 4294967295 (value taken in minutes)

Method 3: Monitoring File Activities On Client Computers

Caution: Use the feature only for file server and laptop clients. Do not use this feature on CommServe, MediaAgent, Index Server, Content Indexing server, Web server along with application databases like Exchange or Oracle.

Large file activities on your client computer can be due to the presence of Ransomware malware. You can configure your client computer to detect such activities by enabling the EnableFileIOMonitor additional setting.

After you enable the additional setting, the client computer is monitored every 5 minutes for file activities, and any abnormal activity will be reported to the administrator by an alert and event. For the first 7 days, the client computer is monitored and analyzed for day to day activity. After 7 days, alerts and events are sent to the administrator in case a large number of activities are detected.

Important: Data aging operations are automatically disabled if large file activities are detected on your client computer.

Procedure

  1. To the client computer, add the EnableFileIOMonitor additional setting as shown in the following table:

    For instructions on adding the additional settings from the CommCell Console, see Add or Modify an Additional Setting.

    Property Value
    Name EnableFileIOMonitor
    Category EventManager
    Type Integer
    Value 0, 1
  2. Restart the CVD.exe process on the client computer.

Alerts and Events

Commvault software notifies the CommCell Console administrator immediately by sending an Alert and displaying an Event Message as follows:

  • The following event message is displayed if the Commvault software detects file anomalies on your computer:

    Detected file activity anomaly of type [Anomaly_Type ] in last 5 minutes. Number of files Modified [X] Deleted [X] Renamed [X] and Created [X]. Please verify the data on the machine.

    where:

    • Anomaly_Type is the type of anomaly which can either be one of the following operations or a combination of them.
      • Created
      • Modified
      • Renamed
      • Deleted
    • X is the count of File IOs for a specific operation type.
  • A File Activity Anomaly Alert notification is sent to all the users included in the Master CommCell User Group.

    See Alerts and Notifications - Predefined Alerts for more information.

See the sample workflow as illustrated in the figure that shows how data aging is automatically disabled on the client computer and an email is sent to the administrator.

File Activity Anomaly Report

You can view the File Activity Anomaly Report on your Web Console. For more information, see File Activity Anomaly Report - Overview.

Recovering From a Ransomware Attack

Perform the following steps when Ransomware is detected in a client computer.

  1. Disable network connections to the affected client.
  2. Disable all backups from the client.
    • From the CommCell Browser, right-click the Client and select Properties.
    • On the Activity Control tab, clear the Enable Backup check box.
    • Click OK.
  3. Make sure that the Ransomware is cleared and the client is clean.
  4. Enable network connections to the client.
  5. Restore the necessary data from an older backup.

    See Restore Backup Data for more information.

  6. Enable all backups from the client.
    • From the CommCell Browser, right-click the Client and select Properties.
    • On the Activity Control tab, select the Enable Backup check box.
    • Click OK.

Best Practices

  • For accessing network mount paths, create and use a non-interactive user account to access the network mount paths. A non-interactive user is an account that has been denied local log on rights. To create a non-interactive account, use the following procedure:
    1. Open GPEDIT.MSC and go to Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment.
    2. Add the user to the Deny Log on Locally policy.
    3. Create the network using Full Control permission to the user and deny permissions for all other users.
    4. Configure an antivirus software for Ransomware protection.
  • Do not log on to the CommServe or MediaAgent computer directly. Instead, do the following:
    • Use a virtual machine proxy computer that has the JAVA GUI and SQL Management Studio installed.
    • Block all ports on the virtual machine, except for the ones required for JAVA GUI or SQL Management Studio.
    • Log on to the CommCell Console, and then access the MediaAgent computer.
  • Use Commvault Powershell script to harden Windows based on recommendations from blackhat.
  • Use Install Windows Update Workflow to download and install Microsoft updates on client computers that operate on Windows operating system.
  • Protect your CommServe Disaster Recovery (DR) backup. In addition to DR Backup location and Export location, use the Edge Drive Uploader Tool to regularly upload a copy of the CommServe databases to a collaborative share on https:\\cloud.commvault.com.

    Note: Storage of CommServe DR backup data on https://cloud.commvault.com is a free service to all customers.