Solved

Anti ransomware on some fs backuped clients


Userlevel 1
Badge +5

Hello all,

 

I would like add some antiransomware practices to my Commcell.

I’ve read 

and

https://documentation.commvault.com/commvault/v11_sp20/article?p=7879_1.htm

 

My first need is to monitor a specific client computer group: honeypot and file activity anomalies alerts.

 

For now i’ve set a file activity alert, though comcell console:

  • Went in home / alert
  • For keeping original one untouched, as reference, i’ve added a new one, with same parameters: category operation / type event viewer events, selected the wanted client computer group, alert criteria on event code equals to “7:211|7:212|7:293”, mail notification, no token criteria, selected user to notify, and finish

 

From documentation:

File activities on the client computer are checked every 5 minutes and any abnormal activity is reported to the administrator by an alert and event. For the first 7 days, the client computer is monitored and analyzed for day to day activity. After 7 days, a base line of file activities is established and alerts and events are sent to the administrator when a large number of abnormal file activities are detected.

Up to 30 days of file activities are maintained in a database (Folderwatcher.db) on the client computer for use by the monitoring algorithm.

 

===

 

At this point i don’t know what is checked, especially the honeypot feature, as i don’t have explicit configuration for this?

 

Has someone xp on that?

 

Thanks in advance community!

 

Regards.

icon

Best answer by JBuratti 30 June 2021, 18:17

View original

11 replies

Userlevel 2
Badge +3

On the clients where Windows File System core is installed. CVD process checks for File activity Anomaly every 5 minutes. You can observe this in the cvd.log. If the process detects large number of changes to the files an alert is triggered.

Same process for the Honeypot file, if any modification to the honeypot file is detected, an alert is triggered. The file is located under the <Installation Path>:\Program Files\Commvault\ContentStore\iDataAgent\JobResults

The alert received in an email will contain a link and when you click on the link, it will take you to the File Activity Anomaly Report.

 

Userlevel 1
Badge +5

Hello, thanks for interest.

 

You mean this works like this natively already? Without any configuration?

 

You mentionned windows platform, but windows only? What about mac or linux?

Userlevel 4
Badge +13

@Sandip Domadia What file is the Honeypot file? The one named with letters and numbers??

 

//Henke

Userlevel 3
Badge +4

@f-red 

Yes this is alert is configured out of the box and no additional configuration is needed.  At the moment this is only supported for Windows clients but it is on the roadmap for Linux/Mac support also.

 

@Henke 

Yes the honeypot file is the .xls file with random letters and numbers in the file name.  

Userlevel 1
Badge +5

@JBuratti Ok, that’s more clear to me, thanks. Is there a documentation entry on which we could see the roadmap? That’s a general interest question, including the need to see if there would have some time estimation for antiromware features be ported to mac / linux.

Userlevel 1
Badge +5

@JBuratti For now alerts are clients wide and only admin alerts, which makes sense for admin. In my case, i want to target different client computers scopes (grouped in groups), and notify other people: first use case is to monitor this file activity for our internal laptops and notify security team who are not commvault master/admin.

Am i in the right way with the creation of a dedicated alert i exposed in my opening post?

 

Thanks.

Userlevel 1
Badge +5

@JBuratti Is there something similar to monitor vm? Like incrementals trends? And/or honeypot file through vmware tools when available?

Question is to provide some change monitoring on vms too

Userlevel 3
Badge +4

@f-red 

Although I stated Linux support for file anomaly detection is on the roadmap, I am unaware the exact Feature Release that this will be available in.  

You can configure your environment with multiple copies of the alert, with each one specifying a client group and sending to the relevant users.  I would still suggest to keep the default alert for all clients as original configured as a “master” alert.  

This alert currently only monitors Windows clients with at least the FileSystem Core package installed locally on that machine.  Technically you can install this package on each VM, but there is no monitoring available through vmware tools

Userlevel 1
Badge +5

@f-red

Technically you can install this package on each VM, but there is no monitoring available through vmware tools

 

Ok, agent, not vmware tools.

Is is possible to trigger alerts on last incremental change rate for example? Or approaching the idea?

More generally, is it possible to trigger alerts on report result?

 

Userlevel 1
Badge +5

@JBuratti On https://documentation.commvault.com/11.24/expert/7877_ransomware_protection.html:

I may understand that even if i’m able to see file activity anomaly report (i’ve downloaded and installed it) and unusual file activiry dashboard, i can miss the full installation / features of ransomware protection until i install this app?

 

I’m under v11sp23.

 

Userlevel 3
Badge +4

@f-red 

The link you referenced is related to two similar but separate features.  Throughout the majority of this thread we were talking about ransomware “monitoring” and the related File Activity Anomaly alert.  

To recap, this basically monitors the activity on any windows client and sends an alert to the specified user if any activity beyond the baseline is detected.  

There is also the separate ransomware “protection” feature.  This is protection of your library mount paths from being infected.  This is separate from the individual client monitoring.  When enabled this basically locks down the mount paths allowing only the account specified in Commvualt to write, modify or delete files on the paths.  

The app referenced in the link is an automation tool to enable this ransomware protection on each media agent.  You do not “need” this app to enable the feature as you can also enable this manually on each Media Agent in your environment.  

Please refer to the following link for more information on mount path protection from ransomware:

 - https://documentation.commvault.com/11.24/expert/9400_ransomware_protection_for_disk_libraries_on_windows_mediaagent.html

 

In relation to your prior question regarding alerts on incremental rate change, you seem to have answered your own question with your next post.  The Unusual File Activity Report/Dashboard would show this, but unfortunately it is only available in FR23+.  If you are under this version then it is not yet available for you unless you were to upgrade.  

Reply