Question

Again - any way to determine what makes a "suspicious file" trigger happen?

  • 16 September 2022
  • 12 replies
  • 999 views

Userlevel 2
Badge +9

In the past few months, “file activity anomaly alerts” have been exploding in my commvault warnings. Consider this thread a continuation of my previous thread here. For instance, we have Microsoft Configuration Manager use its built-in backup function to back its files/databases up twice a week to a location on our file server, and then later Commvault backs up the whole file server.

Here’s a few of the files which it always sticks on, some related to Config Manager, some random other ones

Description: A suspicious file [P:\Project\Staff\DISASTER\SCCM\SSCBackup\CD.Latest\SMSSETUP\AI\LUTables.enc] is detected on the machine

Description: A suspicious file [P:\Project\Staff\DISASTER\SCCM\SSCBackup\CD.Latest\splash.hta] is detected on the machine

Description: A suspicious file [K:\Users\Choi2\R\4.2.1\file3ea85e644f6c\spatstat.random\R\spatstat.random] is detected on the machine

Description: A suspicious file [M:\TSProfiles\Buetz.v6\.conda\pkgs\tornado-6.2-py39hb82d6ee_0\Lib\site-packages\tornado\test\test.key] is detected on the machine

I have to wonder - just how smart/dumb is the Commvault suspicious file checker? Is it really just flagging this file because it has .enc as the file extension, and .enc MIGHT mean encrypted? .random and .rmd MIGHT mean encrypted? Is that really how commvault is doing this? Is there any actual logic or smarts behind this or is it just a big ol’ database of file extensions and filenames that could be signs of ransomware, and if it sees any of those, it sends one of these emails?

The thing is, I’d love to know if there was actually evidence of ransomware/malware on my file servers, but I’d want these checks to be based on heuristic; i.e. analysis of running code’s behavior or even changes in a file’s contents (has the .random file in question changed 5% since last backup? Or has it changed 100% and is no longer recognizeable as the same file? The latter would be more worthy of an alert, I’d say - vs just the very presence of an Rmd, random, or enc file on the file system).

While I understand that some things must remain proprietary and hidden from your customers, If a commvault support person could confirm that there is, or is not, heuristic detection or analysis of files, please let me know.


12 replies

Userlevel 7
Badge +23

@ZachHeise , the Detection is based on mime type mismatch, not just the file extension.

The anomaly framework provides insights to activity and file changes that may indicate data is impacted by unauthorized changes from malware, ransomware, or other threat actors. 

However, it’s not explicitly Ransomware/Malware detection.

I’ve reached out to @DMCVault to see if he can add anything.

Userlevel 2
Badge +9

Thanks Mike, I appreciate it. if you think my team would be served with a ticket into commvault support that would actually analyze these file types that keep getting flagged, particularly the completely benign backups from Configuration Manager’s backups, let me know and I can make that ticket. It’s just frustrating to constantly have that LUTables.enc file flagged - I know I could filter that path out, or the .enc file type but like I said, i DO want to know if ransomware is spreading on my system; I hate to turn off a useful feature if it can actually be useful. I’m just getting way too many false positives right now.

Userlevel 7
Badge +23

That’s definitely a smart idea.  I know people have asked (and understabably) want to know more, though what I have above is essentially the official line.

going to support will enable the engineer to focus on YOUR hits, and escalate to dev as needed.

Let me know the case number so I can follow up.

Badge +1

Yes we are having the same issue with files in SCCM being flagged. It would be very useful to have a facility to upload files to Commvault so they can be checked and then whitelisted. This is one of the many false positives we have encountered which is making the feature not so useful.

Userlevel 2
Badge +9

@Mike Struening - the ticket is 221027-682 - sorry, got wrapped up with other projects at work; you know how it is. I eagerly await a suggestion from the support team to see how the anomaly detector can be tweaked.

Userlevel 1
Badge +3

I have the same problem.  Support engineer told me to start by installing 11.28.24, or latest (25).  I guess they added some additional smarts to the algorithm???  This is a really great tool, and the marketing group strongly leans on the detection tools.  But, a detection tool that is rife with false positives is ignored, and of no value at all.

Userlevel 2
Badge +9

Completely agree, Stephanie - I don’t want to disable this functionality at all, I just want commvault to be upfront with the fact that at least right now on v11.26.40 it’s just telling me “hey files with ransomware-ish file extensions… exist! scary!’ is all it’s currently doing.

I find it very telling that despite the fact that my Config Manager site backups every tuesday, and thursday, write about 10,000 files to our DR location (which commvault then scans) … yet the ONLY files that commvault file anomaly is warning me about, are ones with file extensions like .key and .enc - that doesn’t strike me as actually being smart about detecting malicious activity. More like just “oh hey we see these suspicious file extensions, and files are being overwritten”

Cool that your support engineer is giving you specific versions to install. Would love to hear confirmation if indeed there are major changes between 11.26 and 11.28

Userlevel 1
Badge +3

I’m not sure much major change in this regard between 11.26 and 11.28, because I am at 11.28.8, and it was suggested to get to 11.28.24.   I am doing that this weekend, so I will try to remember to update you next week.

Userlevel 2
Badge +9

Hi current vaulters (I hope Mike is enjoying retirement!)

Just wanted to see what the current File Anomaly / Suspicious File detection system has improved upon since Stephanie and I posted last year. Particularly if 2023E has added new features specific to this functionality. If there’s new documented changes that would give us better control or tuning over how excited/scared the detection system gets based on file extensions, I’d love to hear about it; just shoot a link over.

I’m still pretty tired of being notified via email every time we get a false positive. We’re still on 2022E + hotfixes but improvements to this tech would definitely be enough to make us jump at doing the next release upgrade.

Userlevel 6
Badge +14

@ZachHeise 

I'll do some digging and see what I can find for you.

There is a possibility we have to wait until official release notes are provided (eta approx 2 weeks), but i'll do some research and update.

Regards,

Chris

Userlevel 2
Badge +9

@ZachHeise 

I'll do some digging and see what I can find for you.

There is a possibility we have to wait until official release notes are provided (eta approx 2 weeks), but i'll do some research and update.

Regards,

Chris

Hi @Chris Hollis - were you able to find anything out? Thanks!

Userlevel 6
Badge +14

Hi @ZachHeise 

Very sorry for the delay, I lost my reminder for this thread.

I’ve asked a dev your query and will share feedback as soon as I get it.

Besides the ‘what’s changed articles for FR32 and FR34, I don’t think there have been any further enhancements or changes to how file anomaly works:  

https://documentation.commvault.com/2023e/expert/new_features_for_security_in_commvault_platform_release_2023e.html

https://documentation.commvault.com/2024/expert/new_features_for_security_in_commvault_platform_release_2024.html

Will keep you posted.

Regards,

Chris

Reply