Solved

Question about honeypot files

  • 9 August 2022
  • 2 replies
  • 302 views

Userlevel 4
Badge +15

Hello everyone,

I have an alert from CommVault that says:

  • Description: A suspicious file [D:\ArielDB\Customers\APS\Ariel\Sets\Prd\Temp\hwot5ftk.afd] is detected on the machine [SRV-PRDP101]. Please alert your administrator.

I read in https://documentation.commvault.com/commvault/v11_sp20/article?p=7879_1.htm that “A Honeypot file placed by Commvault mimics this user document and baits ransomware into encrypting this file.” 

This server is a virtual machine that acts as a file server for our production system and has the “restore only” client installed.  Because it is the restore only client, I believe that there’s no way for CommVault to place a honeypot file there to check for malware encryption.  Is this correct?  Is there a way to check the honeypot file(s) placed on a server by CommVault?

Ken

icon

Best answer by Urosa 9 August 2022, 19:52

View original

2 replies

Userlevel 1
Badge +3

Good Afternoon,

Per our documentation, if the Restore only agent is installed.

https://documentation.commvault.com/commvault/v11_sp20/article?p=7877_1.htm

Ransomware Protection

Protecting your data from Ransomware attacks is critically important. Commvault proactively monitors the client computer for any unexpected activity and alert the user with the type of activity.

In addition, you can secure the mount path from being accessed by external processes thereby protecting the backed up data. Commvault provides different methods to protect your data.

Storing Data in Offline Storage

We recommend that you store a copy of data in a secondary storage like Hyperscale appliance, tape or on cloud storage. These media can help in storing data in ransomware protection mode, which is not easily accessible to Ransomware attacks .

Support

  • You cannot configure Ransomware protection using the Command Center. However, you can view the File Activity Anomaly Report using the Command Center or you can also use the Enable Ransomware Protection app to monitor and turn on ransomware protection features in the CommCell Console. To download the app on the Commvault Store, see Enable Ransomware Protection.
  • You must have the File System Core Package installed on your client computer to use this feature.
  • You can configure Ransomware protection for restore-only clients in your CommCell environment. A restore-only client is a computer where you install an agent in restore-only mode if you want to use the client only as a destination to restore backup data.
Userlevel 4
Badge +15

Excellent, thank you.

Ken

Reply