commvault.com commvault.com
Solved

Numerous "File Activity Anomaly Alert" emails following upgrade to 11.28.

  • 25 July 2022
  • 8 replies
  • 1065 views
Ken_H
Rank
Userlevel 4
Badge +15

Last week I installed the feature upgrade which took me from version 11.26.23 to 11.28.8.  Over the weekend I received several Alert: File Activity Alert Type: Operation emails like this that flagged over 100,000 files:

File Activity Anomaly Alert

CommCell: INF-SRVP116

Type: Operation - Event Viewer Events

Detected Criteria: Event Viewer Events

Detected Time: Fri Jul 22 22:18:19 2022
  • Event ID: 2916215
  • Monitoring Criteria: (Event Code equals to 7:211|7:212|7:293|7:269|14:325|69:52)
  • Severity: Major
  • Job ID: 528006
  • Event Date: Fri Jul 22 22:18:03 2022
  • Program: CvStatAnalysis
  • Client: inf-srvp112.apacorp.net
  • Description: Detected file type classification anomaly in job [528006] for client [INF-SRVP102]. Number of files affected [146352]. Please click here for more details.

 

I’m guessing that this is related to the level of activity error codes:

  • 7:211     Number of files Modified, Deleted, Renamed, and Created.
  • 7:212     An irregularity in the amount of file activity.
  • 7:293     Number of files Modified, Deleted, Renamed, and Created.
  • 69:52     Unusual File Activity

and not the actual detection of an infected file:

  • 7:269     A suspicious file is detected

I’m just curious:  Has anyone else seen a burst of these types of emails following the installation of the latest feature release?

Ken

icon

Best answer by Ken_H 29 July 2022, 23:49

View original

8 replies

MFasulo
Rank
Userlevel 6
Badge +12

Ken,  if you look at what got flagged, was it in any particular drive/directory?  146K files flagged as anomaly between backups would certainly raise a flag or 2.  

Ken_H
Rank
Userlevel 4
Badge +15

Looking at the Unusual file activity pages in the Command Center, I see files are flagged across multiple folders from C:\Program Files to C:\Users to C:\Windows.  I thought CommVault might somehow learn to accept the flagged files when I got a File Anomaly email this morning that said there were only 32 files.  When I go into Command Center and navigate to Monitoring > Unusual file activity and look at the server from the email, instead of 32 files I find over 77,000.  I’ve actually opened ticket 220727-508 to get some help cleaning this up.  There’s not much benefit to an email that says there’s 32 questionable files but then getting a list of 77,000 files to dig throiugh.

Ken

Onno van den Berg
Rank
Userlevel 7
Badge +19

In all honesty based on our experience this feature is "useless" as it is reporting so many false positives. We also identified performance related issues in the past in where it was influencing file processing done by specific business applications.

I would rather like to have an enhanced version of the honeypot that can be customized by users offering the ability to setup honeypots yourself who are then being watched by Commvault. Or for example the ability that allows you to select files/folders on selected clients who are being monitored. After selecting the files (who are known to be stale) Commvault generates signatures and puts a watchdog on those file who are being monitored. 

Any just some ideas…..

Ken_H
Rank
Userlevel 4
Badge +15

I opened up ticket 220727-508 about this report and was told, in part:

> This Event Alert you are receiving was introduced for the first time in FR28, but Development is still working on tuning it up.

I’ve removed the internal security team from the alert distribution list and look forward to continued improvements to this feature.

Ken

Mike Struening RETIRED
Rank
Userlevel 7
Badge +23

Thanks for the update, @Ken_H .

https://www.linkedin.com/in/michael-struening
N
Rank
Badge +4

Hello there, @Ken_H 

Have you heard anything from Commvault support about this?

We have begun to receive numerous alerts that have been identified as suspicious, and Microsoft SCCM and SSMS files (which, per the customer, are not malicious) are triggering multiple file anomaly warnings.


I'm aware that we can add exclusions using sExcludeExtensions, but we don't want to go that route because we'd end up spending all of our time adding exclusions despite knowing that these are false positives.

 

Ken_H
Rank
Userlevel 4
Badge +15

Hello there, @Ken_H 

Have you heard anything from Commvault support about this?

We have begun to receive numerous alerts that have been identified as suspicious, and Microsoft SCCM and SSMS files (which, per the customer, are not malicious) are triggering multiple file anomaly warnings.


I'm aware that we can add exclusions using sExcludeExtensions, but we don't want to go that route because we'd end up spending all of our time adding exclusions despite knowing that these are false positives.

 

The last I heard was the comment that it was a work in progress and should get better with future releases.  I’m running 11.28.10 and am hoping things quiet down with the next maintenance release.

Ken

Steven Robinson
Rank
Userlevel 3
Badge +5

One improvement that will soon be available (likely in the October maintenance Release) will be the ability to define the minimum number of suspicious files to trigger MIME classification anomalies.

Keep an eye out for the release notes looking for enhancement 2384.

“I did then what I knew how to do. Now that I know better, I do better.” ― Maya Angelou

Reply


Terms & ConditionsCookie settings