Commvault detects anomalies by monitoring client computers as follows:
-
Monitoring the honeypot file
-
Monitoring file anomalies
-
Monitoring file encryption activities
-
Monitoring file type anomalies in backup jobs
Note
Monitoring client computers does not cause additional CPU load on the CommServe computer or on the client computers.
Monitoring the Honeypot File
Note
Honeypot file monitoring can be enabled on virtualized environments by installing the base Windows or UNIX file system restore-only client in the virtual machine guest host. For more information, see Installation of Restore Only Agents.
Commvault automatically checks for the possible presence of ransomware on client computers using the honeypot file method. Since ransomware typically attacks user files such as MS Office documents and multimedia files, Commvault places a honeypot file that mimics such a user file. Every four hours, Commvault checks to see if the honeypot file has been encrypted by ransomware.
If the honeypot file is encrypted, Commvault notifies the CommCell Console administrator immediately by sending an anomaly alert and by displaying an event message, as follows:
-
The File Activity Anomaly Alert is configured by default to send out an alert notification to all users included in the Master CommCell User Group.
For more information, see Alerts and Notifications - Predefined Alerts.
-
The following event message is displayed if Commvault detects the presence of ransomware on a client computer:
An irregularity in the amount of file activity was detected on the machine
[clientName]. Please alert your administrator.
To control the frequency with which the honeypot ransomware check occurs, create the nTimer_CheckForRansomware additional setting on the client computer or the client group as shown in the following table:
For information on adding an additional setting from the CommCell Console, see Add or Modify an Additional Setting.
Property |
Value |
---|---|
Name |
|
Category |
QMachineMaint |
Type |
Integer |
Value |
0 to 4294967295 (value in minutes) |
Monitoring File Anomalies
Note
Anomaly detection can be enabled on virtualized environments by installing the base Windows file system restore-only client in the virtual machine guest host. For more information, see Installation of Restore Only Agents.
By default, Commvault checks for the possible presence of ransomware by detecting if a large number of files on a client computer are created, deleted, modified, or renamed. The system looks for such file anomalies on client computers by using the following methodology:
-
For the first 7 days, client computers are monitored and analyzed in order to establish a baseline of day-to-day file activities. After those 7 days, if a large number of abnormal file activities are detected, the system sends alerts and event messages to the administrator.
-
Up to 30 days of file activities are maintained in a database on each client computer for use by the monitoring algorithm.
Configure the File Activity Anomaly Alert to receive alerts when abnormal activities are detected.
Note
You can use the sAnomalyFilters additional setting to skip a path from anomaly monitoring. However, note that this additional setting does not recognize paths that include special characters (for example, the character "é"). If a special character is present in a path, you cannot use the sAnomalyFilters additional setting to skip it from anomaly monitoring.
Monitoring File Encryption Activities
Note
This applies only to Windows client computers.
By default, Commvault checks for the possible presence of ransomware by detecting if files have been encrypted on a client computer. Ransomware can sometimes change the extensions of those files after encryption (for example, .ecc, .ezz, .zzz, .xyz, .abc, .ccc, .micro, .encrypted, etc.).
File activities on the client computer are checked in real time, and if any suspicious files are detected, they are reported as an abnormal activity to the CommCell administrator by an alert and event. After an alert is sent, the system waits 1 hour. After 1 hour, the system begins monitoring the client computer again for new abnormal activities.
Configure the File Activity Anomaly Alert to receive alerts when abnormal activities are detected.
Note
To skip an extension from anomaly monitoring, add the sExcludeExtensions additional setting.
Monitoring File Type Anomalies in Backup Jobs
Note
This applies only to Windows client computers.
By default, Commvault checks for the possible presence of ransomware by monitoring backup jobs on client computers every 4 hours to see if there are mismatches in file types and file extensions of backed up files. Commvault reads the first 36 KB of data of each file, and detects the presence of any MIME type anomaly. When the number of files with MIME type anomalies exceed 10% of the total number of files that are backed up, Commvault immediately sends an anomaly alert to the CommCell administrator and also displays an event message.
-
Configure the File Activity Anomaly Alert to receive alerts when MIME type anomalies are detected.
-
Add the DetectMimeType additional setting to client computers to enable MIME file type check, as shown in the following table.
For information about adding an additional setting from the CommCell Console, see Adding an Additional Setting from the CommCell Console.
Property
Value
Name
Category
FileSystemAgent
Type
Integer
Value
1 (enabled)
-
The Unusual file activity panel in the Command Center displays information about the list of file type anomalies in the backup jobs. For more information, see Monitoring Unusual File Activity and Ransomware Detection.