Random files are triggering suspicious file list

  • 11 January 2022
  • 20 replies
  • 185 views

Userlevel 1
Badge +5

In our case, we’ve gotten 2 “suspicious file” warnings over the past month, both for .rmd files which are for markdown files programming language “R” - [K:\Users\Slee987\0107.Rmd]

I am all for commvault monitoring and tuning itself to prevent ransomware, but I’d like some means of tweaking it or figuring out why it’s determining that these two rmd files - vs the tens of thousands of other ones on our users’ home directories in the K drive - are ‘suspicious’.


If you have a question or comment, please create a topic

20 replies

Userlevel 7
Badge +23

@ZachHeise , to confirm you are curious as to why some R markdown files get flagged, but not other R markdown files?

@DMCVault do we have any links to the IOC list you mentioned to provide any context for Zach?

Userlevel 1
Badge +5

That’s correct. Clearly commvault is not marking every .rmd file we have as suspicious as I’d have an inbox of a million. So I would just like a link to some documentation as to what logic the software is using. I could then compare it to the contents of my users’ files that are getting flagged and see if that matches.

Thanks, Mike.

Userlevel 7
Badge +23

Ok, thanks for confirming (and we don’t want a million hits to your Inbox :joy: )!

@DMCVault will know the specifics on what we can provide regarding the list itself, so I’ll defer to his wisdom.

Userlevel 5
Badge +7

We dont provide the IOC list, but we are adding features to allow customers to customize and tweak the list including importing your own and adding exclusions.

Not sure why you are only getting a few hits on the rmd files we would have to investigate this.

Userlevel 7
Badge +23

@ZachHeise , I moved this to its own thread for better tracking.

As per @DMCVault , can you create a support incident and share the case number with me?

He’s the top authority on the ransomware features :nerd:

Userlevel 1
Badge +5

Ah, I was wondering why I was suddenly getting so many hits for replies I’d already seen! Didn’t realize it was a new thread.

Commvault is just one of the hats I wear at work, I don’t need a ticket done for this right now - I just don’t have time.

Can you post an update in this thread so I am notified when there is official commvault documentation for this upcoming features? Or back in the other thread this came from so the other poster can be notified too. Thanks.

This isn’t a huge deal for me right now, it’s just occasional warnings about seemingly random .rmd files for various random users. If it were a flood I’d want a solution much faster but it’s not.

Userlevel 6
Badge +15

Very interesting thread, as I’ve had tons of ‘suspect’ files though they’re our production order files, or some perl scripts. @DMCVault can you provide a link to docs that explains where we can customize our filters so we’re not alerted for such, please ?

Badge +3

Hello,

this is my very first post in this forum, my greetings to the community.

 

About the current topic, we just stepped into one on these events few hours ago, the file is imuui3ea.clf on a Microsoft Sharepoint 2019 server. Interesting is that the folder containing this file is included in the malware exclusion list published by Microsoft itself.

Userlevel 7
Badge +23

That is quite interesting, @Gaetano (and welcome!!).

I just googled that file and it doesn’t show up at all….any idea if it is a valid SharePoint binary?

Badge +3

Hi all,

@Mike Struening thank you for your welcome. Honestly I can’t estimate its validity but the whole path hints that it is related to the search. Here is the path:

C:\Users\SP_SearchService\AppData\Local\Temp\ContentProcessingComponent1\imuui3ea.clf

Microsoft support recommends the following exclusions from malware scanning on Sharepoint servers

https://support.microsoft.com/en-gb/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc

Userlevel 7
Badge +23

I found a little about the folder (thanks for that piece!), and it sounds like it’s just temp data for the SP search service:

https://social.technet.microsoft.com/Forums/en-US/6a30d775-6a1d-434e-bcf4-1b2a1930f7db/cusersspserviceaccountappdatalocaltemp-has-over-30gb?forum=sharepointgeneralprevious

Now, how that file got there, I don’t know, but it is just a temp file and is likely something you can just remove.

Badge +3

Hi @Mike Struening ,

thank you, this is very useful. Just to have the complete picture, we involved the technical support of the anti-malware company we use, this will also give us a hint about whether that file is dangerous or not. If it can be useful, I will post the outcome here.

 

Userlevel 7
Badge +23

Greatly appreciated!!

Badge +3

Hi,

we just got news from the technical support of the anti-malware company, they confirmed that there is “nothing suspicious on the system”. That file is not harmful :relaxed:

 

Thank you for the support

Userlevel 7
Badge +23

Glad to hear it, @Gaetano !!!!

Userlevel 1
Badge +8

hey ho,

 

is there any option to disable this “monitroing” for an client ? 

Badge +2

@SSchmidt 

 

Unfortunately, I do not find an option to disable it entirely however the following BOL doc provides details on being able to adjust the frequency of the checks as well as being able to exclude paths and file extensions via two Additional Settings that are set on each client:

Monitoring File Anomalies On Client Computers (commvault.com)

For the “Exclusion” additional settings, you need to be on FR24.38 or higher at both the Commserve and Client.

 

Hope that helps

Userlevel 1
Badge +8

@Scott Sheldon 

 

I have found another key: DisableFileIOMonitor

 

https://documentation.commvault.com/additionalsetting/details?name=DisableFileIOMonitor

 

 

Badge +2

@SSchmidt 

 

Good catch.  Didn’t have a chance to look deeper yesterday.  that should do what you are intending.

Userlevel 2
Badge +5

hey ho,

 

is there any option to disable this “monitroing” for an client ? 

Additional Setting DisableFileIOMonitor did the Trick for me back in FR20, not sure if it works in newer releases still. in SP14 Key was EnableFileIOMonitor just to confuse things :-)