Anomaly Detection On Client Computers

Commvault detects anomalies by monitoring client computers as follows:

• Monitoring file activity anomalies in backup jobs

• Monitoring file encryption activities

• Monitoring file type anomalies in backup jobs

Monitoring File Activity Anomalies in Backup Jobs

By default, Commvault monitors file system backup jobs to check for the possible presence of ransomware by detecting the file activity. This will detect any unusual activity related to huge number of files creation/deletion/modification. For more information, see "File Activity Tab" in Threat Indicators Dashboard.

• If any unusual activity detected, they are reported as an to the CommCell administrator by an alert and event.

• The following event message is displayed if Commvault detects the presence of malware on a client computer:

  The system detected unexpected activity in job [jobid] for client [clientName]: number of added files [count] exceeds normal observed count of [count]. Please review to ensure proper data protection"

To receive alerts when abnormal activities are detected, configure the Threat Indicator Alert.

Monitoring File Encryption Activities in Backup Jobs

By default, Commvault monitors file system backup jobs to check for the possible presence of ransomware by detecting if files have been encrypted. Ransomware can sometimes change the extensions of those files after encryption (for example, .ecc, .ezz, .zzz, .xyz, .abc, .ccc, .micro, .encrypted, etc.). For more information, see "File Extension Tab" in Threat Indicators Dashboard.

If any suspicious files are detected, they are reported as an abnormal activity to the CommCell administrator by an alert and event. To receive alerts when abnormal activities are detected, configure the Threat Indicator Alert.

Monitoring File Type Anomalies in Backup Jobs

By default, Commvault checks for the possible presence of ransomware by monitoring backup jobs on client computers every 4 hours to see if there are mismatches in file types and file extensions of backed up files. Commvault reads the first 36 KB of data of each file, and detects the presence of any MIME type anomaly. When the number of files with MIME type anomalies exceed 10% of the total number of files that are backed up, Commvault immediately sends an anomaly alert to the CommCell administrator and also displays an event message.

• To receive alerts when MIME type anomalies are detected, configure the Threat Indicator Alert.

• To enable MIME file type check, add the DetectMimeType additional setting to client computers, as shown in the following table.

  For information about adding an additional setting from the CommCell Console, see Adding an Additional Setting from the CommCell Console.

  Property	Value
  Name	DetectMimeType
  Category	FileSystemAgent
  Type	Integer
  Value	1 (enabled)

• The Threat Indicators dashboard in the Command Center displays information about the list of file type anomalies in the backup jobs. For more information, see Threat Indicators Dashboard.

Monitoring Backup Job Anomalies for VSA Clients (Without Guest Agents)

You can monitor for file activity anomalies for virtual machine backups without installing file system agents within the VM guest. Anomalies are triggered after backups have completed. You can view the anomalies in the Threat Indicators report. For more information, see Threat Indicators Report for Backup Job Anomalies - VSA.