Requirement
If current MediaAgent version of the node is Feature Release 24, you must upgrade the MediaAgent version 24.19 or above and upgrade the Commvault File System (CVFS) RPM version to 4.5.1 or above. For instructions to upgrade the MediaAgent version, see Updating Commvault Software on a Server. For instructions to upgrade the CVFS version, see Installing Operating System Updates on Existing Nodes.
You can enable ransomware protection for a HyperScale MediaAgent. You must enable protection for all the nodes in a HyperScale environment. The software enables ransomware protection for the backup data, the Commvault metadata and the CVFS metadata on the MediaAgent computer.
Note
Ransomware protection is automatically enabled on new installations of the Commvault HyperScale X.
Before You Begin
-
Review the system requirements and the considerations for ransomware protection.
-
If any disk libraries or mount paths that are mounted are already present on the MediaAgent, you must take a backup of the /etc/fstab system file.
-
You must set the MediaAgent on maintenance mode because the operations in the procedure require a reboot and perform unmount and mount of the disk libraries.
-
If the MediaAgent is a client computer, make sure that there are no active backup or restore operations running on the MediaAgent.
Procedure
-
Login to your MediaAgent.
-
Stop the Comvault services.
commvault stop
-
Go to the /opt/commvault/MediaAgent64 directory.
-
Perform the following steps:
-
To enable the ransomware protection for the first time, complete the following steps:
-
Execute the following command:
./cvsecurity.py enable_protection -i InstanceID
where instanceID is the ID of the instance. For example, Instance001.
-
Reboot the MediaAgent for the ransomware protection to take effect.
The software enables ransomware protection for the backup data, the Commvault metadata and the CDS metadata.
-
-
If you already enabled ransomware protection for the backup data, then to also enable ransomware protection for the Commvault metadata and the CDS metadata on the MediaAgent computer, execute the following commands.
./cvsecurity.py protect_meta_data -i Instance001 ./cvsecurity.py restart_cv_services -i Instance001
Note
Take the following precautions:
-
Wait for the node to come online after you enable ransomware protection on the node and reboot the node. To ensure that the node is online, verify the
start_node
operation completes successfully in the /tmp/cvsecurity_hvcmd.log file. -
To verify that the protection is resumed successfully, run the sestatus command and check that the value for the Current mode parameter is set to enforcing.
-
Verify that the cluster is online and NFS vdisk is mounted. After reboot, you may experience some additional time for the cluster to be up and online depending on the amount of backup data present on the cluster.
-
Verify that the Commvault services are up and running. For instructions, see Using Process Manager to View and Manage Commvault Services.
Note
Do not enable ransomware protection on another node until you complete the above verification steps on the current node.
Repeat the above steps on all the nodes in the HyperScale environment.
-
-
For any unauthorized write access to the disk library on the MediaAgent that is protected by ransomware protection, you can configure to receive alerts that you can view in the Event Viewer of the CommCell Console and in the Audit Trail Report of the Command Center. By default, the software monitors the operations on MediaAgent for every 30 minutes, and sends alerts for any unauthorized events. You can use the event code 32:369 to configure alerts for these events. You can use the dRWProtectionAlertInterval additional setting to modify the time interval to monitor.
For instructions about configuring alerts, see Creating an Alert from the Alert Wizard.
Make the following selections when you configure alerts:
-
In the General Information window, select Operation for the Category and Event Viewer Events for the Type.
-
In the Entities Selection window, select the MediaAgents for which you want to receive alerts.
-
In the Threshold and Notification Criteria Selection window, select equals to criteria for Event Code, and then enter 32:659 in the box.
Note
- If you paused and resumed ransomware protection, you will get the following system alert and event.
Ransomware protection resumed from permissive to enforcing mode. Please check the logs for more details - If you disabled ransomware protection, you will get the following system alert and event.
Ransomware protection is in disabled state. Please check the logs for more details
-
Result
Ransomware protection will be enabled in the MediaAgent and can be viewed as follows:
-
From the navigation pane, go to Manage > Infrastructure.
The Infrastructure page appears.
-
Click the MediaAgent tile.
The MediaAgents page appears.
-
Click the MediaAgent in which you enabled ransomware
In the Control section, the Ransomware Protection toggle key will be enabled. (The toggle key will appear grayed out.)
Additional Information
-
The software logs the activities of the ransomware protection in the /var/log/cvsecurity.log file.
-
The software logs any unauthorized activities in the /var/log/audit/audit.log file.