Configuring Ransomware Protection for a Linux MediaAgent

You can configure ransomware protection for a Linux MediaAgent.

Before You Begin

  • Review the system requirements and the considerations for ransomware protection.

  • If any disk libraries or mount paths that are mounted are already present on the MediaAgent, you must take a backup of the /etc/fstab system file. Execute the following command:

    cp /etc/fstab /etc/fstab.backupfile
  • Make a note of the instance ID of the MediaAgent computer. Execute the following command:

    commvault status
  • You must set the MediaAgent on maintenance mode because the operations in the procedure require a reboot and perform unmount and mount of the disk libraries.

  • If the MediaAgent is a client computer, make sure that there are no active backup or restore operations running on the MediaAgent.

  • If the MediaAgent is on Ubuntu 20.04 operating system, you must disable apparmor service.

    Execute the following commands:

    # systemctl stop apparmor.service
    # systemctl disable apparmor.service


  1. Login to your MediaAgent.

  2. If the MediaAgent runs RHEL / CentOS 8.x kernel, then install Python 3.x version if it is not already present. Run the following command:

    ln -s /usr/bin/python3 /usr/bin/python
  3. Go to the /opt/commvault/MediaAgent64 directory.

  4. To enable the ransomware protection, run the following command:

    ./ enable_protection -i I**nstanceID

    where InstanceID is the ID of the instance. For example, Instance001.


    If any disk libraries or mount paths that are mounted are already present on the MediaAgent, then you need not run the protect_disk_library command. The enable_protection command performs the operations that are done by the protect_disk_library command such as updating the context in the /etc/fstab file and performing unmount and mount of the disk library.

  5. Reboot the MediaAgent for the ransomware Protection to take effect.

    The reboot operation is required only when you enable the protection for the first time.

  6. After the MediaAgent is started successfully, go to the /opt/commvault/MediaAgent64 directory.

  7. To load the Commvault SELinux policy, run the restart_cv_services command.

    ./ restart_cv_services -i InstanceID

  8. Turn off the maintenance mode on the MediaAgent.

What to Do Next

If you create a library configured using local or external disk storage later, the library is protected from ransomware. However, if you create a shared library with the mount path on an NFS share, then you must configure ransomware protection for the library.


  • The software logs the activities of the ransomware protection in the /var/log/cvsecurity.log file.

  • The software logs any unauthorized activities in the /var/log/audit/audit.log file.