Configuring Ransomware Protection for a Disk Library on a GPFS Share

To enable the support for ransomware protection for a newly configured disk library on a GPFS share, you must configure the context for the mount location manually in the /etc/fstab system file.

Before You Begin

  • Review the system requirements and the considerations for ransomware protection.

  • If any disk libraries or mount paths that are mounted are already present on the MediaAgent, you must take a backup of the /etc/fstab system file. Execute the following command:

    cp /etc/fstab /etc/fstab.backupfile
  • Make a note of the instance ID of the MediaAgent computer. Execute the following command:

    commvault status
  • You must set the MediaAgent on maintenance mode because the operations in the procedure require a reboot and perform unmount and mount of the disk libraries.

  • If the MediaAgent is a client computer, make sure that there are no active backup or restore operations running on the MediaAgent.

  • If the MediaAgent is on Ubuntu 20.04 operating system, you must disable apparmor service.

    Execute the following commands:

    # systemctl stop apparmor.service
    # systemctl disable apparmor.service
  • The supported version of GPFS is 5.2 and later version.


  1. Login to your MediaAgent.

  2. If the MediaAgent runs RHEL / CentOS 8.x kernel, then install Python 3.x version if it is not already present. Run the following command:

    ln -s /usr/bin/python3 /usr/bin/python
  3. Go to the /opt/commvault/MediaAgent64 directory.

  4. To enable the ransomware protection, run the following command:

    ./ enable_protection -i I**nstanceID

    where InstanceID is the ID of the instance. For example, Instance001.

  5. Reboot the MediaAgent for the ransomware protection to take effect.

    The reboot operation is required only when you enable the protection for the first time.

  6. To make the GPFS mounts with security context persistent across reboots, execute the following commands:

    [root@gpfsnode1 bin]# pwd
    [root@gpfsnode1 bin]# ./mmchfs <GPFS_MP> -o context="system_u:object_r:cvstorage_t:s0"
    umount <GPFS_MP>
    mount <GPFS_MP>
  7. After the MediaAgent is started successfully, go to the /opt/commvault/MediaAgent64 directory.

  8. To load the Commvault SELinux policy, run the restart_cv_services command.

    ./ restart_cv_services -i InstanceID

  9. Turn off the maintenance mode on the MediaAgent.


  • The software logs the activities of the ransomware protection in the /var/log/cvsecurity.log file.

  • The software logs any unauthorized activities in the /var/log/audit/audit.log file.