+2
Hi Team,
For trigerring of the File Anomaly alerts is there a specific threshold value for that.
Or do we have any additional setting or setting that we can mention a threshold value to trigger the alerts.
Ex: Only when files modified or created or any activity are more then 10000, then only I should receive File Anomaly alert.
Please let me know if we have any setting that we can limit this.
Best answer by Blaine Williams
View originalHi Harsha,
You can monitor file anomalies on client computers.
Note: Monitoring file anomalies does not cause additional CPU load on the CommServe computer or on the client computers.
Method 1: Monitoring the Honeypot File
Commvault software automatically detects the presence of Ransomware on your client computers using the honeypot file method. Ransomware typically attacks user files such as office documents, media files, etc. Honeypot file placed by Commvault mimics this user document and baits ransomware into encrypting this file. The ransomware check happens once every 4 hours.
Commvault software notifies the CommCell Console administrator immediately by sending an Alert and displaying an Event Message as follows:
See Alerts and Notifications - Predefined Alerts for more information.
An irregularity in the amount of file activity was detected on the machine [clientName]. Please alert your administrator.
For instructions on adding the additional settings from the CommCell Console, see Add or Modify an Additional Setting.
| Property | Value |
| Name | |
| Category | QMachineMaint |
| Type | Integer |
| Value | 0 to 4294967295 (value taken in minutes) |
Method 2: Detecting File Anomalies On Client Computers
Note: Anomaly detection can be enabled on virtualized environments by installing the base Windows file system restore-only client in the virtual machine guest host. For more information, see Installation of Restore Only Agents.
A large number of files being created, deleted, modified, or renamed on your client computer can be due to the presence of Ransomware malware. These activities are monitored by default. Configure the File Activity Anomaly Alert to receive alerts when abnormal activities are detected.
File activities on the client computer are checked every 5 minutes and any abnormal activity is reported to the administrator by an alert and event. For the first 7 days, the client computer is monitored and analyzed for day to day activity. After 7 days, a base line of file activities is established and alerts and events are sent to the administrator when a large number of abnormal file activities are detected.
Up to 30 days of file activities are maintained in a database (Folderwatcher.db) on the client computer for use by the monitoring algorithm.
To view the File Activity Anomaly Report using the Command Center, see File Activity Anomaly Report.
https://documentation.commvault.com/commvault/v11_sp20/article?p=7879_1.htm
I hope this is the information you were after.
I found by accident an Event regarding a suspicous file, did not get any mail though.
Might be because the event code 7:269 is not included in the predefined alert. (only those are 7:211|7:212|7:293)
regards.
+23
Correct, if your alert criteria does not contain that alert, it will not send an email.
Similar question came up in this thread:
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
