In the past few months, “file activity anomaly alerts” have been exploding in my commvault warnings. Consider this thread a continuation of my previous thread here. For instance, we have Microsoft Configuration Manager use its built-in backup function to back its files/databases up twice a week to a location on our file server, and then later Commvault backs up the whole file server.
Here’s a few of the files which it always sticks on, some related to Config Manager, some random other ones
Description: A suspicious file [P:\Project\Staff\DISASTER\SCCM\SSCBackup\CD.Latest\SMSSETUP\AI\LUTables.enc] is detected on the machine
Description: A suspicious file [P:\Project\Staff\DISASTER\SCCM\SSCBackup\CD.Latest\splash.hta] is detected on the machine
Description: A suspicious file [K:\Users\Choi2\R\4.2.1\file3ea85e644f6c\spatstat.random\R\spatstat.random] is detected on the machine
Description: A suspicious file [M:\TSProfiles\Buetz.v6\.conda\pkgs\tornado-6.2-py39hb82d6ee_0\Lib\site-packages\tornado\test\test.key] is detected on the machine
I have to wonder - just how smart/dumb is the Commvault suspicious file checker? Is it really just flagging this file because it has .enc as the file extension, and .enc MIGHT mean encrypted? .random and .rmd MIGHT mean encrypted? Is that really how commvault is doing this? Is there any actual logic or smarts behind this or is it just a big ol’ database of file extensions and filenames that could be signs of ransomware, and if it sees any of those, it sends one of these emails?
The thing is, I’d love to know if there was actually evidence of ransomware/malware on my file servers, but I’d want these checks to be based on heuristic; i.e. analysis of running code’s behavior or even changes in a file’s contents (has the .random file in question changed 5% since last backup? Or has it changed 100% and is no longer recognizeable as the same file? The latter would be more worthy of an alert, I’d say - vs just the very presence of an Rmd, random, or enc file on the file system).
While I understand that some things must remain proprietary and hidden from your customers, If a commvault support person could confirm that there is, or is not, heuristic detection or analysis of files, please let me know.