Monitoring Anomalies

Threat Scan delivers comprehensive visibility into abnormal activity across protected resources by identifying anomalies in files and backup jobs. These anomalies serve as early indicators of potential ransomware attacks, data corruption, or unauthorized file access. The system uses historical baselines, statistical thresholds, and file metadata validation to detect and highlight unusual behavior

Threat Scan detects the following primary anomaly types, described below:

• File activity anomalies

• File MIME type anomalies

• File extension anomalies

• Backup size anomalies

File Activity Anomalies

File activity anomalies are irregular file operations such as unusual rates of file creation, modification, rename, or deletion. These anomalies are derived from changes detected between indexed backup jobs to identify potentially malicious or unexpected activity.

Detection Logic

• Telemetry Source: Index server performing File Indexing Version 2

• Operation: Established from multiple prior backup jobs to determine normal change volume.

• Trigger Condition: File operation counts deviating more than three standard deviations above the baseline.

• Retention: 30 days of anomaly data retained.

Configuration

To enable file activity anomaly detection, the resource must be assigned to a Threat Scan plan. This plan automatically configures indexing and anomaly detection for supported workloads.

Supported Workloads

• Windows file system resources (Indexing Version 2)

• Linux file system resources (Indexing Version 2)

• Virtual Machines (Indexing Version 2)

• Network shares (Indexing Version 2)

File MIME Type Anomalies

File MIME type anomalies are mismatches between a file’s actual content type (MIME) and its file extension. This often indicates ransomware disguising files (for example, .exe renamed as .jpg).

Detection Logic

• Telemetry Source: Index server performing File Indexing Version 2.

• Operation: The first 36 KB of each indexed file is analyzed to determine MIME type.

• Trigger Condition: MIME mismatch rate exceeds the baseline percentage by +5%.

• Retention: 7 days of anomaly data retained.

Configuration

To enable file MIME type anomaly detection, assign the resource to a Threat Scan plan. The plan configures required indexing and anomaly collection settings.

Supported Workloads

• Windows file system (Indexing Version 2)

• Network file shares (Indexing Version 2)

File Extension Anomalies

File extension anomalies are unusual or newly introduced file extensions within a resource. A sudden increase in uncommon or random extensions may indicate ransomware activity.

Detection Logic

• Telemetry Source: Index Server (Indexing Version 2).

• Operation: Distribution of file extensions from the previous 5 backup jobs.

• Trigger Condition: New or rare extensions appear more than 10× baseline frequency or represent over 5% of total files.

• Retention: 7 days of anomaly data retained.

Configuration

To enable file extension anomaly detection, assign the resource to a Threat Scan plan. The plan ensures indexing and anomaly analysis are configured automatically.

Supported Workloads

• Windows file system resources (Indexing Version 2)

• Virtual Machines (Indexing Version 2)

Backup Size Anomalies

Backup size anomalies are unexpected increases or decreases in the amount of data written during a backup. Large deviations may suggest encryption, skipped data, or corruption.

Detection Logic

• Telemetry Source: Job Manager Service and MediaAgent statistics.

• Operation: Average size of the last 10 incremental backup jobs.

• Trigger Condition: Backup size deviation greater than +40% or −50% from baseline.

• Retention: 30 days of anomaly data retained.

Configuration

To enable backup size anomaly detection, the resource must be assigned to a Threat Scan plan. This plan configures the required indexing and monitoring parameters for backup size anomaly tracking.

Supported Workloads

• Windows file system backups

• Linux file fystem backups

• Virtual Machine backups

Summary Support Matrix