> Commvault SaaS > Threat Detection and Response > Anomalies and Threats

Threat Detection - Threats

Threat Detection provides visibility into malware and encryption threats detected within backup data. Using Commvault Cloud Threat Scan, the system leverages multiple detection engines and models to identify malware and encryption-based threats with high levels of accuracy. Organizations can quickly isolate and respond to threats discovered across protected resources.

When threats are detected, the files are flagged as infected within the backup index, which is used to help provide clean recovery outcomes and forensic recovery outcomes.

Commvault Cloud supports the following Threat Scan modes:

  • Scheduled scans (configured through Threat Detection plans)

  • Scans during restore operations

  • Cleanroom

  • Threat hunting operations (manual investigations)

Malware Detection

Malware detection identifies known or suspicious malicious software within backup data. Using multiple detection engines including signature-based scanning, YARA rule matching, hash lookups, and machine learning classifiers. Commvault Cloud Threat Scan analyzes indexed backup content to detect ransomware, viruses, and other malware variants without impacting production systems.

Detection Logic

  • Intelligence Source: Signatures, Machine Learning, YARA, Hash

  • Operation: Detected during scheduled scans, restore scans, Cleanroom Threat Scan operations, and Threat Hunting (when malware detection is enabled)

  • Trigger Condition: When backups are scanned with the malware option enabled and malware is detected

Configuration

To enable Malware Detection, the resource must be assigned to a Threat Detection plan with malware detection enabled. To leverage YARA and Hash-based detection, YARA rules and hash lists must be imported into the Threat Detection plan.

Supported Workloads

  • Windows file system resources (Indexing Version 2)

  • Linux file system resources (Indexing Version 2)

  • Virtual Machines (Indexing Version 2)

  • Network shares (Indexing Version 2)

  • Cloud file objects

Encryption Detection

Encryption Detection identifies ransomware-driven or unauthorized file encryption activity within backup files.

Commvault Cloud Threat Scan employs a machine learning based encryption model trained to distinguish normal file content from encrypted data, providing greater accuracy, fewer false positives, and faster scan performance.

The detection process analyzes the structure and statistical properties of file data to identify encryption-like characteristics such as high entropy, data randomness, and irregular compression signatures while avoiding dependency on prior backup comparisons. This enables precise detection of ransomware-encrypted content and accelerates identification of the last known clean restore point, ensuring rapid and reliable recovery.

Detection Logic

  • Telemetry Source: AI-based model trained on encrypted and non-encrypted datasets

  • Operation: Detected during scheduled scans, restore scans, Cleanroom Threat Scans, and Threat Hunting (when encryption detection is enabled)

  • Trigger Condition: Triggered when backup content exhibits encryption-like properties or file entropy indicative of ransomware encryption patterns

Configuration

To enable Encryption Detection, the resource must be assigned to a Threat Detection plan. The Threat Detection plan automatically configures indexing and anomaly detection for supported workloads.

Supported Workloads

  • Windows file system resources (Indexing Version 2)

  • Linux file system resources (Indexing Version 2)

  • Virtual Machines (Indexing Version 2)

  • Network shares (Indexing Version 2)

  • Cloud file objects

×

Loading...