Question

File Activity Anomaly Alert

  • 25 November 2022
  • 12 replies
  • 1072 views

Badge +1

I’m running 11:28.24 and don’t initially mind if a suspicious file is identified. However if,after due investigation, I am satisfied that the identified file is okay, is there a way of marking to file ‘good’ so that the same suspicious file is not reported over and over again and thus risking the ‘cry wolf’ scenario?

 

File Activity Anomaly Alert 
•    Description: A suspicious file 
Monitoring Criteria: (Event Code equals to 7:211|7:212|7:293|7:269|14:325|69:52)

 

 

 


12 replies

Userlevel 5
Badge +13

Hello @Graeme 

Is this an alert you are receiving in Commvault or something else like an AV Software? Can you post a screenshot of the alert?

 

Thank you,
Collin

Badge +1

It is a standard CommVault generated report (see attached). 

Userlevel 5
Badge +13

Hello @Graeme 

Based on that screenshot the File from the alert is not a Commvault file. Additionally, the file type appears to be “.enc” which I would suspect is an encryption file.

It appears the anomaly detection was successful in identifying a genuinely malicious file. I would recommend reaching out to your Security Team to investigate.

 

Thank you,
Collin

Userlevel 7
Badge +19

There are ways to whitelist, which you could consider putting into place.  @Collin Harper I assume this is definitely not a genuinely malicious file, as @Graeme posted it as legitimed. So this has to be seen as a false positive and unfortunately we still see the happening constantly :-( 

Badge +1

Appreciate the feedback. Our Security Team have already investigated this particular file so I now effectively want to stop it generating repeated alerts for the same file going forwards as I am getting swamped with emails. Is there a procedure? Very much appreciated 

Badge +1

This .HTA file has been scanned several times by our Security Team and confirm that the file is good to stay. I’ve had to remove the Team from the alerts as the same files are repeatedly identified. Effectively I need some procedure to mark that particular file as ‘good’/ignore.

Badge +1

This one has previously been checked too.

Userlevel 5
Badge +13

@Onno van den Berg Fair enough. I am only speaking from experience. The only time I’ve seen “.enc” files are when malware has infected a machine. I suppose its possible this is a legit file extension, but not in my experience.

@Graeme At this time we currently do not have any filters for Anomaly Alerts as they are generated based on behavior.

Monitoring Unusual File Activity - https://documentation.commvault.com/11.26/expert/134333_monitoring_unusual_file_activity.html

 

Thank you,
Collin

Userlevel 7
Badge +19

@Collin Harper Well I would be surprised if the bad actors are going to use specific file types which could lead to detection so I do not think looking a file extension is something which is future proof…..

If I call recall correctly this setting is the one that allows you to filter out files file paths from anomaly monitoring https://documentation.commvault.com/additionalsetting/details?name=sAnomalyFilters

 

Userlevel 1
Badge +5

Hi @Graeme,

 

As Collin mentioned we don't have the ability to exclude a single file. We can only exclude files based on extension or based on path. 

This is the link for sAnomalyFilters, to filter single or multiple paths

Additional Settings Description (commvault.com)

 

And this is the link for sExcludeExtensions

Additional Settings Description (commvault.com)

In the last description there is typo “To specify multiple paths,” must be “To exclude multiple extensions,”

 

From 11.28.23 there is also a key available to include certain extensions. Reason for this is that some extensions are hard coded by Commvault and are only updated if Commvault suspect malicious files that needs to be added for detecting, when upgrade to higher Maintenance or Feature release versions.

The key is called: sIncludeExtensions  and can be set the same as described with the sExcludeExtensions additional setting.

 

PS. I requested to have this last key also documented in our documentation.

 

Hope it helps!!

Kind regards,

Remi

Userlevel 7
Badge +19

Thanks for the clarification @Remi Sprangers and the detailed explanation! 

Userlevel 5
Badge +13

Hello @Remi Sprangers thank you for the clarification. I, nor my colleagues I consulted with were aware of these keys.

@Onno van den Berg Thank you for bringing up the key in the first place. Regarding the file extension, I was suggesting that ransomware may be at play here. It’s behavior is to encrypt files so if a file has an extension of “.enc”, I would suspect ransomware encrypted it rather than a “bad” bad-actor using an obviously detectable file extension instead of something more covert. Regardless if the customer’s Security Team has investigated and confirmed all is well, I guess I am mistaken.

 

Thank you,
Collin

Reply