+9
In our case, we’ve gotten 2 “suspicious file” warnings over the past month, both for .rmd files which are for markdown files programming language “R” - [K:\Users\Slee987\0107.Rmd]
I am all for commvault monitoring and tuning itself to prevent ransomware, but I’d like some means of tweaking it or figuring out why it’s determining that these two rmd files - vs the tens of thousands of other ones on our users’ home directories in the K drive - are ‘suspicious’.
+23
+9
That’s correct. Clearly commvault is not marking every .rmd file we have as suspicious as I’d have an inbox of a million. So I would just like a link to some documentation as to what logic the software is using. I could then compare it to the contents of my users’ files that are getting flagged and see if that matches.
Thanks, Mike.
+23
Ok, thanks for confirming (and we don’t want a million hits to your Inbox 
)!
We dont provide the IOC list, but we are adding features to allow customers to customize and tweak the list including importing your own and adding exclusions.
Not sure why you are only getting a few hits on the rmd files we would have to investigate this.
+23
As per
He’s the top authority on the ransomware features 
+9
Ah, I was wondering why I was suddenly getting so many hits for replies I’d already seen! Didn’t realize it was a new thread.
Commvault is just one of the hats I wear at work, I don’t need a ticket done for this right now - I just don’t have time.
Can you post an update in this thread so I am notified when there is official commvault documentation for this upcoming features? Or back in the other thread this came from so the other poster can be notified too. Thanks.
This isn’t a huge deal for me right now, it’s just occasional warnings about seemingly random .rmd files for various random users. If it were a flood I’d want a solution much faster but it’s not.
Very interesting thread, as I’ve had tons of ‘suspect’ files though they’re our production order files, or some perl scripts.
+8
Hello,
this is my very first post in this forum, my greetings to the community.
About the current topic, we just stepped into one on these events few hours ago, the file is imuui3ea.clf on a Microsoft Sharepoint 2019 server. Interesting is that the folder containing this file is included in the malware exclusion list published by Microsoft itself.
+23
That is quite interesting,
I just googled that file and it doesn’t show up at all….any idea if it is a valid SharePoint binary?
+8
Hi all,
C:\Users\SP_SearchService\AppData\Local\Temp\ContentProcessingComponent1\imuui3ea.clfMicrosoft support recommends the following exclusions from malware scanning on Sharepoint servers
+23
I found a little about the folder (thanks for that piece!), and it sounds like it’s just temp data for the SP search service:
Now, how that file got there, I don’t know, but it is just a temp file and is likely something you can just remove.
+8
Hi
thank you, this is very useful. Just to have the complete picture, we involved the technical support of the anti-malware company we use, this will also give us a hint about whether that file is dangerous or not. If it can be useful, I will post the outcome here.
+8
Hi,
we just got news from the technical support of the anti-malware company, they confirmed that there is “nothing suspicious on the system”. That file is not harmful 
Thank you for the support
hey ho,
is there any option to disable this “monitroing” for an client ?
+2
Unfortunately, I do not find an option to disable it entirely however the following BOL doc provides details on being able to adjust the frequency of the checks as well as being able to exclude paths and file extensions via two Additional Settings that are set on each client:
Monitoring File Anomalies On Client Computers (commvault.com)
For the “Exclusion” additional settings, you need to be on FR24.38 or higher at both the Commserve and Client.
Hope that helps
I have found another key: DisableFileIOMonitor
https://documentation.commvault.com/additionalsetting/details?name=DisableFileIOMonitor
+2
Good catch. Didn’t have a chance to look deeper yesterday. that should do what you are intending.
hey ho,
is there any option to disable this “monitroing” for an client ?
Additional Setting DisableFileIOMonitor did the Trick for me back in FR20, not sure if it works in newer releases still. in SP14 Key was EnableFileIOMonitor just to confuse things :-)
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
