Unusual File Activity Report for File Type Anomaly Detection in Backup Jobs

The Unusual file activity report for File Type Anomaly Detection in Backup Jobs summarizes the file type anomalies on backed up files gathered from all Windows clients that have Commvault Platform Release 2022E or a more recent platform release.

You can use this report to track files that have a mismatch in the file type metadata and the file extension. A file type mismatch may occur if the file is encrypted or corrupted by malware attacks.

The anomaly check is supported for the following file extensions:

"doc","docx","docm","dot","dotx","dotm","eml","mpd","mpp","mpt","msg","ops","odg","odp","ods","odt","pa","pages","pdf","pot", potm","pots","ppa","ppam","pps","ppsm","ppsx","ppt","pptm","pptx","sldm","sldx","xl","xla","xlam","xll","xlm","xls","xlsb", "xlsm","xlsx","xlt","xltm","xltx","acl","one","pgs","pub","rdf","wbk","xml","vss","vsdx","vsdm","vssx","vssm","vstx","vstm", "vmdk","com","exe","dll","dmg","ipa","msi","pkg","rpm","so","jar","emlx","eml","msf","mbox","nsf","zip","rar","7z","gz", "tar","bz2","xz","cab","csv","tsv","vcd","toast"

The anomaly check is performed on backup jobs that use File Indexing Version 2. The backup jobs are checked for any file type anomaly and the files are flagged in the index server. The threshold value to report the anomaly is calculated based on the percentage of anomaly files in the previous job + 5 %. Consider the following example:

  • Job 1: There are 100 files and 2 files are marked as invalid MIME. Because this is the first job, there is no anomaly reported for this job.

  • Job 2: Out of the 100 files, 4 files are marked as invalid MIME. The threshold value is 5% + 2% (from previous job) = 7%. The number of anomaly files is less than the threshold value, and therefore no anomaly is reported.

  • Job 3: Out of the 100 files, 15 files are marked as invalid MIME. The threshold value is 5% + 4% (from previous job) = 9%. The number of anomaly files is greater than the threshold value. An anomaly entry is reported and the software sends an anomaly alert to the CommCell administrator and displays an event message in the CommCell Console.

When the number of files with the anomaly exceed 10% of the total number of files backed up, the software sends an anomaly alert to the CommCell administrator and displays an event message in the CommCell Console.

The following options are available in the upper-right corner of the page in the report:

  • To clear anomalies of a client with unusual file activity, from the client list in the report, click Delete anomaly.

  • To recover a client that has unusual file activity, as a VM, click Recover as VM.

    The file version prior to the anomaly is recovered.

  • To restore a file from a client that has unusual file activity, click Recover files.

    The file version prior to the anomaly is recovered.

Report Description

The Unusual file activity report for for File Type Anomaly Detection in Backup Jobs is divided into the following sections: Unusual file activity chart and Suspicious files table.

Unusual File Activity Chart

This chart displays the number of anomalies in each backup job.

The following image is an example of the unusual file activity for file type anomaly detection chart section:

embd_report description Unusual File Activity Report for File Type Anomalies (1)

Suspicious Files Table

The following table includes descriptions of columns in the Suspicious Files table.

Column

Description

File name

The file name of the affected file.

Path

The path to the affected file.

Size

The size of the affected file.

Detected time

The time when the anomaly was detected.

Actions

  • To restore a good version of the file, click the action button action_button, and then click Restore.

    The version of the file that existed before the anomaly is restored.

  • To ignore an anomaly, click the action button action_button, and then click Mark safe.

  • To download the file that has the anomaly, click the action button action_button, and then click Download.

  • To view all the affected files in a file path, click the action button action_button, and then click Open folder.

    A window that lists all the affected files in the file path appears. You can ignore, download, or restore the good version of all the affected files.

Performing File System Restores

Loading...