Skip to main content

Last week I installed the feature upgrade which took me from version 11.26.23 to 11.28.8.  Over the weekend I received several Alert: File Activity Alert Type: Operation emails like this that flagged over 100,000 files:

File Activity Anomaly Alert

CommCell: INF-SRVP116

Type: Operation - Event Viewer Events

Detected Criteria: Event Viewer Events

Detected Time: Fri Jul 22 22:18:19 2022

  • Event ID: 2916215
  • Monitoring Criteria: (Event Code equals to 7:211|7:212|7:293|7:269|14:325|69:52)
  • Severity: Major
  • Job ID: 528006
  • Event Date: Fri Jul 22 22:18:03 2022
  • Program: CvStatAnalysis
  • Client: inf-srvp112.apacorp.net
  • Description: Detected file type classification anomaly in job b528006] for client tINF-SRVP102]. Number of files affected d146352]. Please click here for more details.

 

I’m guessing that this is related to the level of activity error codes:

  • 7:211     Number of files Modified, Deleted, Renamed, and Created.
  • 7:212     An irregularity in the amount of file activity.
  • 7:293     Number of files Modified, Deleted, Renamed, and Created.
  • 69:52     Unusual File Activity

and not the actual detection of an infected file:

  • 7:269     A suspicious file is detected

I’m just curious:  Has anyone else seen a burst of these types of emails following the installation of the latest feature release?

Ken

Ken,  if you look at what got flagged, was it in any particular drive/directory?  146K files flagged as anomaly between backups would certainly raise a flag or 2.  


Looking at the Unusual file activity pages in the Command Center, I see files are flagged across multiple folders from C:\Program Files to C:\Users to C:\Windows.  I thought CommVault might somehow learn to accept the flagged files when I got a File Anomaly email this morning that said there were only 32 files.  When I go into Command Center and navigate to Monitoring > Unusual file activity and look at the server from the email, instead of 32 files I find over 77,000.  I’ve actually opened ticket 220727-508 to get some help cleaning this up.  There’s not much benefit to an email that says there’s 32 questionable files but then getting a list of 77,000 files to dig throiugh.

Ken


In all honesty based on our experience this feature is "useless" as it is reporting so many false positives. We also identified performance related issues in the past in where it was influencing file processing done by specific business applications.

I would rather like to have an enhanced version of the honeypot that can be customized by users offering the ability to setup honeypots yourself who are then being watched by Commvault. Or for example the ability that allows you to select files/folders on selected clients who are being monitored. After selecting the files (who are known to be stale) Commvault generates signatures and puts a watchdog on those file who are being monitored. 

Any just some ideas…..


I opened up ticket 220727-508 about this report and was told, in part:

> This Event Alert you are receiving was introduced for the first time in FR28, but Development is still working on tuning it up.

I’ve removed the internal security team from the alert distribution list and look forward to continued improvements to this feature.

Ken


Thanks for the update, @Ken_H .


Hello there, @Ken_H 

Have you heard anything from Commvault support about this?

We have begun to receive numerous alerts that have been identified as suspicious, and Microsoft SCCM and SSMS files (which, per the customer, are not malicious) are triggering multiple file anomaly warnings.


I'm aware that we can add exclusions using sExcludeExtensions, but we don't want to go that route because we'd end up spending all of our time adding exclusions despite knowing that these are false positives.

 


Hello there, @Ken_H 

Have you heard anything from Commvault support about this?

We have begun to receive numerous alerts that have been identified as suspicious, and Microsoft SCCM and SSMS files (which, per the customer, are not malicious) are triggering multiple file anomaly warnings.


I'm aware that we can add exclusions using sExcludeExtensions, but we don't want to go that route because we'd end up spending all of our time adding exclusions despite knowing that these are false positives.

 

The last I heard was the comment that it was a work in progress and should get better with future releases.  I’m running 11.28.10 and am hoping things quiet down with the next maintenance release.

Ken


One improvement that will soon be available (likely in the October maintenance Release) will be the ability to define the minimum number of suspicious files to trigger MIME classification anomalies.

Keep an eye out for the release notes looking for enhancement 2384.


Reply