Solved

Unusual File Activity panel

  • 27 July 2022
  • 3 replies
  • 136 views

Userlevel 3
Badge +11

Hi Community,

I need some clarification of Unusual File Activity panel which is available in Command Center under Monitoring .

Link -->  Unusual File Activity Report

  1. This Report/Panel currently shows file related anomalies only for windows clients . Are there plans to add support for Unix Clients as well ? if yes any ETA

 

  1. How Commvault is currently dealing with file related anomalies on Unix Clients & VMs(agentless snapshot backup) ?

 

  1. To restore a file from a client that has unusual file activity, click Recover files.  – Is this option only applicable for Windows iDataAgent clients ?

 

  1. To recover a client that has unusual file activity, as a VM, click Recover as VM.
    1. Is this option applicable only for clients with Windows iDataAgent installed ?  VMs( agentless VSA backup) and Unix iDataAgent clients are not applicable here ?
    2. Can I recover a Physical server which has file anomalies as a VM to VMware vCenter ? I tried it  but it didn’t work for me . What all clients are applicable for Recovery as VM ?

 

  1. What is the best way to create file level anomalies in a client ? I created 1000s of files in lab Commserver and deleted the files after 1 day  but there were no file related anomalies observed in Unusual file activity report .
icon

Best answer by DMCVault 2 August 2022, 23:05

View original

3 replies

Userlevel 7
Badge +23

@Mohit Chordia , let me see if I can get some answers for you.

Tagging in @DMCVault 

Userlevel 7
Badge +23

@Mohit Chordia , have you checked out this link?

https://documentation.commvault.com/11.24/essential/134333_monitoring_unusual_file_activity_and_ransomware_detection.html

What Is Monitored

  • Windows clients that have the file system package installed can be monitored for unusual activity on the file systems and in backup jobs.

  • Linux clients can be monitored for unusual activity in backup jobs.

  • Network shares can be monitored for unusual activity in backup jobs.

  • VSA and non-file system clients can be monitored if the file system package is installed in restore-only mode.

For item 1, the report is only for Windows.  If you read the above, Linux only reports on JOBS, not files, therefore it is not reflected in the report.

For item 2, the answer is in the link above.  We can monitor per OS if the file system package is installed in read-only mode.

For item 3, same as item 1.  We don’t track files for Linux, only jobs.

Item 4, check out the pre-reqs here and process here: https://documentation.commvault.com/2022e/expert/19046_virtualize_me_windows_prerequisites.html

For item 5, it’s a tough thing to answer.  the algorithm that detects anomalies is proprietary and secret, so I’m not sure what you can do to trigger an alert (though others including @DMCVault might have ideas).

Take a look at the above and let me know if you have any questions.  We can definitely look to enhance the doc pages with anything unclear.

Thanks!

 

Userlevel 5
Badge +8

@Mohit Chordia 

Let me clarify this a bit for you:

  1. This Report/Panel currently shows file related anomalies only for windows clients . Are there plans to add support for Unix Clients as well ? if yes any ETA

    A: File anomalies is supported for Unix/Linux file systems today.  The only difference is - we do not monitor in real-time (live) for linux like we do for windows.  For linux we monitor file activity anomalies using the backup index.
     
  2. How Commvault is currently dealing with file related anomalies on Unix Clients & VMs(agentless snapshot backup) ?

    A: Agentless in guest VM’s is something we are working on.  Today you need at least a restore only agent installed in guest.
  3. To restore a file from a client that has unusual file activity, click Recover files.  – Is this option only applicable for Windows iDataAgent clients ?

    A:  Applicable for Windows and Unix/Linux systems.
  4. To recover a client that has unusual file activity, as a VM, click Recover as VM.
    1. Is this option applicable only for clients with Windows iDataAgent installed ?  VMs( agentless VSA backup) and Unix iDataAgent clients are not applicable here ?
    2. Can I recover a Physical server which has file anomalies as a VM to VMware vCenter ? I tried it  but it didn’t work for me . What all clients are applicable for Recovery as VM ?

      A:  Yes you can do P2V but you need to follow the virtualize me requirements carefully
  5. What is the best way to create file level anomalies in a client ? I created 1000s of files in lab Commserver and deleted the files after 1 day  but there were no file related anomalies observed in Unusual file activity report .

    A: We have plans to add a test option within Command Center.  Firstly the server needs to be running the fs agent for at least 7 days.  Reproducing file activity anomalies depends on how large the fs is, and the typical activity of the system using ml algorithm.  If there isn't enough changes occurring within the 5 minute monitoring window then it may not trigger the anomaly.  It is really dependent on the system profile and typical behavior of the system - remember windows updates alone could add and remove thousands of files, so its possible that the change you are incurring is not enough based on typical behavior.

 

Reply