Solved

MediaAgent recovery after a ransomware attack (Part 2)

  • 19 September 2022
  • 13 replies
  • 226 views

Userlevel 2
Badge +12

Hello !

Following a previous archived thread about Media Agent protection, I would like to mention some additional concerns about Windows Media Agent backup.

So, in case of a ransomware attack let’s say, you are protected for the CV Deduplication Database (from system backup set), but what about:

  • Cache directory
  • Index Cache directory
  • Job results directory

What’s the best practice to protect them?
Are they really mandatory components for a Media Agent restore in order to be able to start VM, o365 etc restore jobs?

Thank you in advance,
Nikos

icon

Best answer by Jordan 1 October 2022, 00:29

View original

13 replies

Userlevel 7
Badge +23

Job Results are temporary only or used for staging (in some O365 backups) but nothing you’d need historical data for so not really necessary.  It’s not that you can’t or shouldn’t.  More so if you have an older copy of it and restore it to a rebuild Media Agent, I’m not sure how often it will be helpful (though others might have some insight/experience).

For the “Cache” directory, are you referring to the Software cache?  No real need to back it up.  you can just download it anew, though if you ABSOLUTELY need an older version, then perhaps it’s a worthwhile effort (depending on your use case).

For the Index Cache, we can back up v2 Index Cache data to protect you from disasters:

https://documentation.commvault.com/2022e/expert/10784_index_backup_operations_indexing_version_2.html

If you’re still on v1 Indexing, here’s the docs to convert the clients to v2:

https://documentation.commvault.com/2022e/expert/10812_migration_of_clients_to_indexing_version_2.html

Userlevel 4
Badge +10

So far I have never had a reason to backup the MediaAgents.

The DDBs and Index (v2) are automatically added to backups - unless you have modified these schedules. These are the only items that need protecting. These are not part of the System State backup but a dedicated DDB Backup subclient that will use snapshots to get a consistent copy.

The v1 indexing is automatically rebuilt from the old backups when they are missing so these are also automatically protected along with every backup job.

As Mike says, others may see it differently but outside of the DDB and Index backups nothing else is needed.

Userlevel 2
Badge +12

Dear @Graham Swift@Mike Struening,

Im not sure which answer mark as “Best answer” :)

Thanks you very much both, your replies are very useful, and I thing that all of us must be prepared for these kinds of “disasters” with so many ransomware attacks.  

Also one last thing, is there any documentation / best practices about the steps that you must follow for a Windows MA restore?

Have a nice day :)

Userlevel 7
Badge +23

I say mark @Graham Swift ‘s as the Best Answer 😁

For a Media Agent rebuild, you can follow this doc:

https://documentation.commvault.com/2022e/expert/11069_mediaagent_hardware_refresh_overview.html

this covers pretty much every scenario!

Userlevel 2
Badge +12

Also, another interesting fact that I found recently is that DDB is not required in case of a data restore.

Even if the MA that has the DDB is offline (from a ransomware attack), you can still restore your data without a DDB to be online! You will need your DDB for new backups in order to save the Storage space.

Userlevel 7
Badge +23

That's right!  The DDB is only needed for backups and data aging/pruning.

Userlevel 2
Badge +12

Dear @Mike Struening  and @Graham Swift ,

Just to be sure, apart to protect the DDB, the Index I thing that protected by Schedule Policy called “System Created for Index Backups”, right?

And its location is in Media Agent Properties → Catalog, right ?

Thank you in advance,
Nikos

Userlevel 7
Badge +23

That’s it!

Userlevel 2
Badge +12

@Mike Struening It is confusing, because from Command Center → Manage → Infrastructure →  Index Servers, I see different directory from Commcell Index Directory  “C:\Program Files\Commvault\ContentStore\IndexCache”  (previous screenshot)
 

 

Userlevel 7
Badge +23

That is very interesting…..are both actually valid on the server?

Userlevel 2
Badge +12

That is very interesting…..are both actually valid on the server?

Yes, this is from a all-in-one Commvault test environment.

From my 2 previous screenshot you see that are actually different index locations (propably index and index cache), so I'm trying to understand the perpose of each and what is nessesary in case of a restore operation.

Userlevel 7
Badge +23

I would open a case on this one.  Let me know the incident number so I can track it 😁

Userlevel 5
Badge +11

Starting from FR26, index cache, DDB volume, job results are all protected by ransomware protection, not just the mount paths :)

Reply