Commvault detects anomalies by monitoring client computers as follows:
-
Monitoring Commvault canary files
-
Monitoring file anomalies
-
Monitoring file encryption activities
-
Monitoring file type anomalies in backup jobs
Note
Monitoring client computers does not cause additional CPU load on the CommServe computer or on the client computers.
Monitoring Commvault Canary Files
Note
Canary file monitoring can be enabled on virtualized environments by installing the base Windows or UNIX file system restore-only client in the virtual machine guest host. For more information, see Installation of Restore Only Agents.
Commvault automatically checks for the possible presence of malware (such as ransomware) on client computers using the canary file method. Since malware typically attacks user files such as MS Office documents and multimedia files, Commvault places canary files on servers to act as decoys, prompting malware to attack them before they attack your real data.
If a canary file is encrypted by malware, Commvault sends an anomaly alert and event message in near realtime for Windows (and every four hours for Linux), as follows:
-
The Threat Indicators alert is configured by default to send out an alert notification to all users included in the Master CommCell User Group.
For more information, see Alerts and Notifications - Predefined Alerts.
-
The following event message is displayed if Commvault detects the presence of malware on a client computer:
An irregularity in the amount of file activity was detected on the machine[clientName]. Please alert your administrator.
To control the frequency with which the canary file check occurs, create the nTimer_CheckForRansomware additional setting on the client computer or the client group as shown in the following table:
For information on adding an additional setting from the CommCell Console, see Add or Modify an Additional Setting.
|
Property |
Value |
|---|---|
|
Name |
|
|
Category |
QMachineMaint |
|
Type |
Integer |
|
Value |
0 to 4294967295 (value in minutes) |
To define additional directories (other than default directories) where canary files are created and monitored, create the CVContentFileYesDirs additional setting on the client computer or the client group as shown in the following table:
| Property | Value |
|---|---|
| Name | CVContentFileYesDirs |
| Category | |
| Type | Integer |
Monitoring File Anomalies
Note
Anomaly detection can be enabled on virtualized environments by installing the base Windows file system restore-only client in the virtual machine guest host. For more information, see Installation of Restore Only Agents.
By default, Commvault checks for the possible presence of ransomware by detecting if a large number of files on a client computer are created, deleted, modified, or renamed. The system looks for such file anomalies on client computers by using the following methodology:
-
For the first 7 days, client computers are monitored and analyzed in order to establish a baseline of day-to-day file activities. After those 7 days, if a large number of abnormal file activities are detected, the system sends alerts and event messages to the administrator.
-
Up to 30 days of file activities are maintained in a database on each client computer for use by the monitoring algorithm.
Configure the Threat IndicatorsAlert to receive alerts when abnormal activities are detected.
Note
You can use the sAnomalyFilters additional setting to skip a path from anomaly monitoring. However, note that this additional setting does not recognize paths that include special characters (for example, the character "é"). If a special character is present in a path, you cannot use the sAnomalyFilters additional setting to skip it from anomaly monitoring.
Monitoring File Encryption Activities in Backup Jobs
Note
This applies only to Windows client computers with indexing enabled.
By default, Commvault monitors file system backup jobs to check for the possible presence of ransomware by detecting if files have been encrypted. Ransomware can sometimes change the extensions of those files after encryption (for example, .ecc, .ezz, .zzz, .xyz, .abc, .ccc, .micro, .encrypted, etc.).
For more information, see "File Extension Tab" in Threat Indicators Dashboard
If any suspicious files are detected, they are reported as an abnormal activity to the CommCell administrator by an alert and event. Configure the Threat Indicator Alert to receive alerts when abnormal activities are detected.
Note
To skip an extension from anomaly monitoring, add the sExcludeExtensions additional setting.
Monitoring File Type Anomalies in Backup Jobs
Note
This applies only to Windows client computers.
By default, Commvault checks for the possible presence of ransomware by monitoring backup jobs on client computers every 4 hours to see if there are mismatches in file types and file extensions of backed up files. Commvault reads the first 36 KB of data of each file, and detects the presence of any MIME type anomaly. When the number of files with MIME type anomalies exceed 10% of the total number of files that are backed up, Commvault immediately sends an anomaly alert to the CommCell administrator and also displays an event message.
-
Configure the Threat Indicator Alert to receive alerts when MIME type anomalies are detected.
-
Add the DetectMimeType additional setting to client computers to enable MIME file type check, as shown in the following table.
For information about adding an additional setting from the CommCell Console, see Adding an Additional Setting from the CommCell Console.
Property
Value
Name
Category
FileSystemAgent
Type
Integer
Value
1 (enabled)
-
The Threat Indicators dashboard in the Command Center displays information about the list of file type anomalies in the backup jobs. For more information, see Threat Indicators Dashboard.
Monitoring Backup Job Anomalies for VSA Clients (Without Guest Agents)
You can monitor for file activity anomalies for virtual machine backups without installing file system agents within the VM guest. Anomalies are triggered after backups have completed. You can view the anomalies in the Threat Indicators report. For more information, see Threat Indicators Report for Backup Job Anomalies - VSA.