The File extension file activity report displays information related to the possible presence of ransomware. Commvault monitors Windows file system backup jobs to detect if files have been encrypted. Ransomware can sometimes change the extensions of those files after encryption (for example, .ecc, .ezz, .zzz, .xyz, .abc, .ccc, .micro, .encrypted, etc.).
As part of Windows file system backups, Commvault scans for information on these file types (under the subclient content in the default backupset) to establish a baseline. Once the baseline has been established, subsequent incremental jobs continue to scan for information on these file types and identify potential file renames. Commvault then runs machine learning algorithms on the observed datapoints to identify if there has been abnormal activity resulting in a large number of file renames.
Report Description
The Unusual file activity report for file-related anomalies is divided into the following sections: File extension trend chart and Suspicious files data.
File Extension Trend
This chart displays information about the number of files that were backed up per backup job in the Commvault environment.
The following image is an example of the file extension trend chart:
Click a node on the chart to open the event details for the backup job. The following image is an example of the event details for a job:
Suspicious Files Table
The following table includes descriptions for all columns in the Suspicious files table.
|
Column |
Description |
|---|---|
|
File name |
The name of the suspicious file. |
|
Path |
The file path of the suspicious file. |
|
Size |
The size of the susicious file. |
|
Modified time |
The time when the suspicious file was modified. |