> Expert > CommCell Management > Security > Ransomware Monitoring and Hardening > Monitoring Sensitive Data and Anomalies

Anomaly Detection On Client Computers

Updated

Commvault detects anomalies by monitoring client computers as follows:

  • Monitoring Commvault canary files

  • Monitoring file anomalies

  • Monitoring file encryption activities

  • Monitoring file type anomalies in backup jobs

Note

Monitoring client computers does not cause additional CPU load on the CommServe computer or on the client computers.

Monitoring Commvault Canary Files

Note

Canary file monitoring can be enabled on virtualized environments by installing the base Windows or UNIX file system restore-only client in the virtual machine guest host. For more information, see Installation of Restore Only Agents.

Commvault automatically checks for the possible presence of malware (such as ransomware) on client computers using the canary file method. Since malware typically attacks user files such as MS Office documents and multimedia files, Commvault places canary files on servers to act as decoys, prompting malware to attack them before they attack your real data.

If a canary file is encrypted by malware, Commvault sends an anomaly alert and event message in near realtime for Windows (and every four hours for Linux), as follows:

  • The File Activity Anomaly Alert is configured by default to send out an alert notification to all users included in the Master CommCell User Group.

    For more information, see Alerts and Notifications - Predefined Alerts.

  • The following event message is displayed if Commvault detects the presence of malware on a client computer:

    An irregularity in the amount of file activity was detected on the machine [clientName]. Please alert your administrator.

To control the frequency with which the canary file check occurs, create the nTimer_CheckForRansomware additional setting on the client computer or the client group as shown in the following table:

For information on adding an additional setting from the CommCell Console, see Add or Modify an Additional Setting.

Property

Value

Name

nTimer_CheckForRansomware

Category

QMachineMaint

Type

Integer

Value

0 to 4294967295 (value in minutes)

To define additional directories (other than default directories) where canary files are created and monitored, create the CVContentFileYesDirs additional setting on the client computer or the client group as shown in the following table:

Property Value
Name CVContentFileYesDirs
Category
Type Integer

Monitoring File Anomalies

Note

Anomaly detection can be enabled on virtualized environments by installing the base Windows file system restore-only client in the virtual machine guest host. For more information, see Installation of Restore Only Agents.

By default, Commvault checks for the possible presence of ransomware by detecting if a large number of files on a client computer are created, deleted, modified, or renamed. The system looks for such file anomalies on client computers by using the following methodology:

  • For the first 7 days, client computers are monitored and analyzed in order to establish a baseline of day-to-day file activities. After those 7 days, if a large number of abnormal file activities are detected, the system sends alerts and event messages to the administrator.

  • Up to 30 days of file activities are maintained in a database on each client computer for use by the monitoring algorithm.

Configure the File Activity Anomaly Alert to receive alerts when abnormal activities are detected.

Note

You can use the sAnomalyFilters additional setting to skip a path from anomaly monitoring. However, note that this additional setting does not recognize paths that include special characters (for example, the character "é"). If a special character is present in a path, you cannot use the sAnomalyFilters additional setting to skip it from anomaly monitoring.

Monitoring File Encryption Activities

Note

This applies only to Windows client computers.

By default, Commvault checks for the possible presence of ransomware by detecting if files have been encrypted on a client computer. Ransomware can sometimes change the extensions of those files after encryption (for example, .ecc, .ezz, .zzz, .xyz, .abc, .ccc, .micro, .encrypted, etc.).

File activities on the client computer are checked in real time, and if any suspicious files are detected, they are reported as an abnormal activity to the CommCell administrator by an alert and event. After an alert is sent, the system waits 1 hour. After 1 hour, the system begins monitoring the client computer again for new abnormal activities.

Configure the File Activity Anomaly Alert to receive alerts when abnormal activities are detected.

Note

To skip an extension from anomaly monitoring, add the sExcludeExtensions additional setting.

Monitoring File Type Anomalies in Backup Jobs

Note

This applies only to Windows client computers.

By default, Commvault checks for the possible presence of ransomware by monitoring backup jobs on client computers to see if there are mismatches in file types and file extensions of backed up files. Commvault reads the first 36 KB of data of each file, and detects the presence of any MIME type anomaly. When the number of files with MIME type anomalies exceed 10% of the total number of files that are backed up, Commvault immediately sends an anomaly alert to the CommCell administrator and also displays an event message.

Monitoring Backup Job Anomalies for VSA Clients (Without Guest Agents)

You can monitor for file activity anomalies for virtual machine backups without installing File System agents within the VM guest. Anomalies are triggered after backups have completed. You can view the anomalies on the Unusual file activity report.

For more information, see Unusual File Activity Report for Backup Job Anomalies - VSA.