Solved

Ransomware Honeypot detection - Is this on by default?

  • 10 September 2021
  • 1 reply
  • 1740 views

Userlevel 2
Badge +6

Hi Commvault-people,

 

We are about to configure Mount-path protection against ransomware.

When I was reading up, I noticed this url:-

 

https://documentation.commvault.com/commvault/v11_sp16/article?p=7879_1.htm

 

Which states that “ Commvault software automatically detects the presence of Ransomware on your client computers using the honeypot file method. The Ransomware check happens once in 4 hours”.

 

But is anyone able to confirm whether this is switched on by default, or does it need enabling?

I know that the word “automatic” would suggest so but I would like confirmation if possible.

 

It’s not a bad pitch to the customer if it’s already on and working etc, especially as its a bit of a buzz-word these days especially in corporate and IT security circles.

 

 

Actually - there is a second question for anyone in the know.

 

https://documentation.commvault.com/commvault/v11_sp16/article?p=9400_1.htm

Commvault states that it protects against Ransomware on the Mount Paths by only allowing Commvault process to write to the Mount Paths. So Commvault and nothing else.

 

But is that specifically protecting against Ransomware or everything that would potentially write?

 

Thanks again ….

 

 

icon

Best answer by Damian Andre 10 September 2021, 07:52

View original

1 reply

Userlevel 7
Badge +23

Hey @MountainGoat,

Yes the honey pot file anomaly detection is on by default - and we sure have seen it triggered in ransomware events!

The mount path protection feature disables write from any process that isn't commvault. This way there is no need to play cat and mouse with new ransomware variants. Generally this does not cause any issues, and we recommend disabling virus scanning on mount paths anyway.

 

Hope that helps!

Reply