Monitoring Unusual File Activity

By default, Commvault monitors and analyzes your backup environment to identify the possible presence of ransomware on your infrastructure computers. Unusual changes in files and backup files (for example, large numbers of files being created, deleted, modified, or renamed) may indicate the presence of ransomware or other types of threats in your backup environment.

The Unusual file activity panel in the Command Center displays information about such anomalous file activity on active client computers and in backup jobs. This panel provides a single location for identifying this activity, and allows you to act on potential threats with quick and safe recovery options, as follows:

  • View file path information for the file anomalies and track anomaly trending information

  • Recover the most recent good versions of files

  • Recover the entire client computer as a virtual machine

Commvault bases its file anomaly thresholds on historical activity and machine-learning algorithms, which separate false positives from typical activity on the file system.

You can configure the alerts when anomalous activities are detected. For more information, see File Activity Anomaly Alert.

Note

The file anomalies that are older than 7 days are pruned automatically.

Where to Access the Panel

The Unusual file activity panel also displays anomalies in the file types of backed up files on Windows clients computers. The anomaly is displayed when there is a mismatch in the file type of the file and the file extension.

You can view the Unusual file activity panel in the Command Center.

Note

To view the Unusual file activity panel, both the client and the CommServe computer need to be at Feature Release 11.23 or higher.

Who Can View the Panel

The Unusual file activity panel for file and backup job anomalies is available to tenant administrators as well as to users who have the necessary permissions on the client computer with the anomaly.

What Is Monitored

  • Windows clients that have the file system package installed can be monitored for unusual activity on the file systems and in backup jobs.

  • Linux clients can be monitored for unusual activity in backup jobs.

  • Network shares can be monitored for unusual activity in backup jobs.

  • VSA and non-file system clients can be monitored if the file system package is installed in restore-only mode.

  • Backup jobs that utilize V2 indexing are monitored for any mismatch in the file type and file extension of the backed up files.

What You Can View in the Panel

The following tables include descriptions for all the columns in each tab in the Unusual file activity panel.

All Tab

Column

Description

Name

The client computer.

When you click the client computer, the following detailed reports are available:

You can use the reports to analyze the statistics.

File anomaly type

The type of anomalous activity, such as the following:

  • File activity

  • File type

Detected time

The time when the anomaly was detected.

File Count

Number of files detected with the anomaly.

Actions

Click the action button action_button, and then select one of the following options:

  • To recover a client from the client list on the panel, as a VM, click Recover as VM.

  • To remove a client or multiple clients from the client list on the panel, click Clear anomaly.

File Activity Tab

Column

Description

Name

The client computer.

When you click the client computer, the following detailed reports are available:

You can use the reports to analyze the statistics.

File anomaly type

The type of anomalous file activity, such as the following:

  • Creation

  • Modification

  • Renaming

  • Deletion

Created files

The number of files that were created at the detected time.

Renamed files

The number of files that were renamed at the detected time.

Deleted files

The number of files that were deleted at the detected time.

Modified files

The number of files that were modified at the detected time.

Detected time

The time when the anomaly was detected.

Actions

Click the action button action_button, and then select one of the following options:

  • To recover a client from the client list on the panel, as a VM, click Recover as VM.

  • To remove a client or multiple clients from the client list on the panel, click Clear anomaly.

File Type Tab

Column

Description

Name

The client computer.

When you click the client computer, the following detailed report is available:

You can use the report to analyze the statistics.

File anomaly type

File type

Detected time

The time when the anomaly was detected.

File Count

Number of files detected with the anomaly.

Actions

Click the action button action_button, and then select one of the following options:

  • To recover a client from the client list on the panel, as a VM, click Recover as VM.

  • To remove a client or multiple clients from the client list on the panel, click Clear anomaly.

Loading...