The Unusual file activity report for File Type Anomaly Detection in Backup Jobs summarizes the file type anomalies on backed up files gathered from all Windows clients that have Commvault Platform Release 2022E or a more recent platform release.
You can use this report to track files that have a mismatch in the file type metadata and the file extension. A file type mismatch may occur if the file is encrypted or corrupted by malware attacks.
The anomaly check is supported for the following file extensions:
|
"doc","docx","docm","dot","dotx","dotm","eml","mpd","mpp","mpt","msg","ops","odg","odp","ods","odt","pa","pages","pdf","pot","potm","pots","ppa","ppam","pps","ppsm","ppsx","ppt","pptm","pptx","sldm","sldx","xl","xla","xlam","xll","xlm","xls","xlsb","xlsm","xlsx","xlt","xltm","xltx","acl","one","pgs","pub","rdf","wbk","xml","vss","vsdx","vsdm","vssx","vssm","vstx","vstm","vmdk","com","exe","dll","dmg","ipa","msi","pkg","rpm","so","jar","emlx","eml","msf","mbox","nsf","zip","rar","7z","gz","tar","bz2","xz","cab","csv","tsv","vcd","toast" |
The anomaly check is performed on backup jobs that use File Indexing Version 2. The backup jobs are checked every 4 hours for any file type anomaly and the files are flagged in the index server. The threshold value to report the anomaly is calculated based on the percentage of anomaly files in the previous job + 5 %. Consider the following example:
-
Job 1: There are 100 files and 2 files are marked as invalid MIME. Because this is the first job, there is no anomaly reported for this job.
-
Job 2: Out of the 100 files, 4 files are marked as invalid MIME. The threshold value is 5% + 2% (from previous job) = 7%. The number of anomaly files is less than the threshold value, and therefore no anomaly is reported.
-
Job 3: Out of the 100 files, 15 files are marked as invalid MIME. The threshold value is 5% + 4% (from previous job) = 9%. The number of anomaly files is greater than the threshold value. An anomaly entry is reported and the software sends an anomaly alert to the CommCell administrator and displays an event message in the CommCell Console.
When the number of files with the anomaly exceed 10% of the total number of files backed up, the software sends an anomaly alert to the CommCell administrator and displays an event message in the CommCell Console.
The following options are available in the upper-right corner of the page in the report:
-
To clear anomalies of a client with unusual file activity, from the client list in the report, click Delete anomaly.
-
To recover a client that has unusual file activity, as a VM, click Recover as VM.
The file version prior to the anomaly is recovered.
-
To restore a file from a client that has unusual file activity, click Recover files.
The file version prior to the anomaly is recovered.
Report Description
The Unusual file activity report for for File Type Anomaly Detection in Backup Jobs is divided into the following sections: Unusual file activity chart and Suspicious files table.
Unusual File Activity Chart
This chart displays the number of anomalies in each backup job.
The following image is an example of the unusual file activity for file type anomaly detection chart section:
Suspicious Files Table
The following table includes descriptions of columns in the Suspicious Files table.
|
Column |
Description |
|---|---|
|
File name |
The file name of the affected file. |
|
Path |
The path to the affected file. |
|
Size |
The size of the affected file. |
|
Detected time |
The time when the anomaly was detected. |
|
Actions |
|
, and then click Restore.