Skip to main content
commvault.com commvault.com
Solved

File Activity Anomaly - false alert

  • July 31, 2022
  • 6 replies
  • 1996 views
A
Novice
Forum|alt.badge.img+4

hi all

lately i received a lot of mails alert about File Activity Anomaly…

i got from one specific server alerts about 4-5 files that found a suspicious file

 

after checking the files, i deleted what i don't know, but there is few files that i know and they needed. i cant delete them.

 

how can i “white-list” them? I still need them on the server, and just need to stop the alert on this specific file.

 

is it possible? if so, how?

thanks all:)

Best answer by Scott Moseman


The “suspicious file” alert is based on extensions known to be used in ransomware attacks.

https://documentation.commvault.com/11.24/expert/7879_monitoring_file_anomalies_on_client_computers_01.html#detecting-malware-file-extensions-on-client-computers

sExcludeExtensions
https://documentation.commvault.com/additionalsetting/details?name=sExcludeExtensions

You can use the “sExcludeExtensions” additional setting to exclude “key” file extensions on the clients which are giving you the false alerts.

Thanks,
Scott
 

6 replies

M
Vaulter
Forum|alt.badge.img+10

Hi @Avior 

I do not believe that individual files can be whitelisted, but we can prevent these files from generating the alert. Can you try the following:

-In the Console → Alerts → File Anomaly Alert → Edit →Select step 3:

See below for the changes to the criteria:

Change the description to “does not contain” and add the paths to the files you wish to whitelist, separate the files with the “pipe” | character. This should prevent the detection of these files from triggering the alert.

Let me know how this goes or if you have questions. Thanks

A
Onno van den Berg
Community All Star
Forum|alt.badge.img+22

You only have the option via an additional setting to disable the functionality → DisableFileIOMonitor. Not sure if you run the latest feature release, but development is continuously enhancing this feature to reduce the amount of false positives.

A
A
Novice
Forum|alt.badge.img+4
  • AviorNovice
  • Author
  • Novice
  • August 4, 2022

Hi

thanks for your replies 

unfortunately its not works

@Matt Medvedeff  - i added the paths, but still received alert on them - u can see that in the picture that i added…

 

 

@Onno van den Berg  - if i will add this additional settings, that mean that nothing will be alerted anymore? or just make it more accurate ?

Onno van den Berg
Community All Star
Forum|alt.badge.img+22

@Avior it will disable the file anomaly feature on the client hence it will not return any results so it will stop the message from being generated. 

Can you also share the version number you are running and a screenshot of the screen that Matt added which shows the configured exclusions?

N
Scott Moseman
Vaulter
Forum|alt.badge.img+22
  • Scott MosemanVaulter
  • Vaulter
  • Answer
  • August 4, 2022


The “suspicious file” alert is based on extensions known to be used in ransomware attacks.

https://documentation.commvault.com/11.24/expert/7879_monitoring_file_anomalies_on_client_computers_01.html#detecting-malware-file-extensions-on-client-computers

sExcludeExtensions
https://documentation.commvault.com/additionalsetting/details?name=sExcludeExtensions

You can use the “sExcludeExtensions” additional setting to exclude “key” file extensions on the clients which are giving you the false alerts.

Thanks,
Scott
 

Commvault Enterprise Success
N
A
Novice
Forum|alt.badge.img+4
  • AviorNovice
  • Author
  • Novice
  • August 7, 2022

@Onno van den Berg   -  version 11.24.52

screenshot: 

 

 

@Scott Moseman  - i added this key today..thank you 
will monitor it and update :)
 

Terms & ConditionsCookie settingsAccessibility statement