Hi, In case of a ransomware attack (which I hope will never happen), what is the best way to determine what is the last good backup on disk that I have and that is suitable for restore (not encrypted by hackers or contaminated by malware)? Do I need to do a restore in an isolated environment and then run antivirus until I have found the last “good one” ? Or is there a better way? I have heard that malware can already be on servers weeks before the actual attack or whatever. Thanks
I’d love
File monitoring is a good start for physical clients - it should be enabled by default and places a honeypot file on the client. When it gets modified it will trigger an alert in the CommCell and you know your prior backup should be good.
But a good way is to simply check the size of your backups. When malware encrypts your data, it wont match previous signatures and should result in a much higher backup size, especially on an incremental. That is a good sign that the backup contained changed (presumably encrypted) data. Commvault has built-in size anomaly alerts as well to detect this, but you should also see it in the job history.
The unusual file activity dashboard provides insights into anomalous data changes, then allows you to recover pre-anomalous data automatically. This is available in 1123 and above. We have big plans to expand on this even further with more workloads, deeper threat analysis capabilities and other monitoring insights.
We do see a common thread with our customers wherein after ransomware containment they would recover to an isolated environment to scan and validate before moving into production. This is why we are putting focus on data change insights that help drive more efficient recovery scenarios.
As
Our experience with the recently introduced "Unusual file activity” feature are not that great. It is to trigger happy and we already opened a few ticket related to performance issues. Now I hope this is still work-in-progress and that we can expect enhancements. Instead of monitoring how it is currently done I think really looking at the data would deliver more targeted information e.g. find ways to really identify that ransomware is active,
B.t.w. to test it yourself you could think of writing a script that generates dummy data with know file types followed by a registration of the file checksum. Now create backups continuously and restore the data afterwards and recheck the checksum once more. In case of a change you send out an alert. The script execution can be kicked off using pre/post script execution.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.