Monitoring Unusual File Activity and Ransomware Detection

Updated

The Unusual file activity panel displays information about anomalous activity on the file systems of active client computers and in backup jobs. With this panel, you can view file path information for the anomalies and track anomaly trending information. Then, you can recover the most recent good version of anomalous files or recover the entire client as a virtual machine, from before the anomalous behavior. This panel provides a single location for identifying and acting on potential threats with quick and safe recovery options.

Unusual file activity occurs when a large number of files are created, deleted, modified, or renamed on a client computer, or when the number of created, modified, or deleted files in a backup job suddenly increases or decreases. These situations might indicate the presence of ransomware or other types of threats.

The anomaly thresholds are based on historical activity and machine-learning algorithms to reduce false positives from typical activity on the file system. These activities are monitored by default. To receive alerts when abnormal activities are detected, configure the File Activity Anomaly Alert.

Where to Access the Panel

You can view the Unusual file activity panel in the Command Center.

Note: To view the Unusual file activity panel, both the client and the CommServe computer need to be at Feature Release 11.23 or higher.

Who Can View the Panel

The Unusual file activity panel for file and backup job anomalies is available to tenant administrators as well as to users who have the necessary permissions on the client computer with the anomaly.

What Is Monitored

  • Windows clients that have the file system package installed can be monitored for unusual activity on the file systems and in backup jobs.

  • Linux clients can be monitored for unusual activity in backup jobs.

  • Network shares can be monitored for unusual activity in backup jobs.

  • VSA and non-file system clients can be monitored if the file system package is installed in restore-only mode.

What You Can View in the Panel

The following table includes descriptions for all the columns in the Unusual file activity panel.

Column

Description

Client name

The client computer.

When you click the client computer, the following detailed reports are available:

You can use the reports to analyze the statistics.

File anomaly type

The type of anomalous activity, such as the following:

  • Creation

  • Modification

  • Renaming

  • Deletion

Created files

The number of files that were created at the detected time.

Renamed files

The number of files that were renamed at the detected time.

Deleted files

The number of files that were deleted at the detected time.

Modified files

The number of files that were modified at the detected time.

Detected time

The time when the anomaly was detected.

Actions

Click the action button , and then select one of the following options:

  • To recover a client from the client list on the panel, as a VM, click Recover as VM.

  • To remove a client or multiple clients from the client list on the panel, click Clear anomaly.