Skip to main content
commvault.com commvault.com
Answer

Commvault Infrastructure – Immutability and Ransomware Protection Configuration

  • July 17, 2025
  • 1 reply
  • 83 views
Manics.mca
Forum|alt.badge.img+4

Dear Team,

 

We have recently built a Commvault infrastructure with the following configuration:

  • CommServe: Virtual machine running Windows Server 2025

  • Media Agent: Physical server with locally attached disks, running Oracle Linux 8.8

Mount Paths Configuration for DDB and Disk Library:

  

/dev/mapper/ol-opt_commvault_dbb xfs 600G 22G 579G 4% /opt/commvault/dbb /dev/mapper/ol-data_commvault_disklib xfs 11T 4.9T 6.2T 44% /data/commvault/disklib

 

We would like to know how to enable immutability (WORM) on the disk library, mount path, or at the storage policy level.

 

Additionally, we have enabled ransomware protection, but it still shows as disabled in the Media Agent properties.

 

Below is the current SELinux status of the Media Agent server:

[root@MediaAgent64]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33

Kindly advise on how to proceed to enable immutability and ensure ransomware protection is fully activated.

Thank you.

 

Regards

Mani D

Best answer by sbhatia

Hi Mani, 

Steps that you can try:

1. Enable Immutability (WORM) on Disk Library
Open Commvault Command Center.
Go to Storage > Disk.
Select your disk library (e.g., /data/commvault/disklib).
On the Configuration tab, locate the WORM section.
Toggle WORM storage lock to enable it.
Set the Retention period (this defines how long data remains immutable).
Confirm any prompts as required.
Save the settings.

Note: Immutability can’t be removed or retention shortened once enabled. Plan retention carefully.

2. Enable Ransomware Protection on Media Agent (Linux)
SSH into your Media Agent server.
Stop Commvault services: commvault stop
Change directory to MediaAgent installation: cd /opt/commvault/MediaAgent64
Enable protection using: ./cvsecurity.py enable_protection -i Instance001
Reboot the server.

3. Additional Verification (if Needed)
After reboot, if protection still appears disabled:
./cvsecurity.py protect_meta_data -i Instance001

./cvsecurity.py restart_cv_services -i Instance001

Check in Command Center under MediaAgent Properties that ransomware protection now shows as enabled.

1 reply

sbhatia
Vaulter
Forum|alt.badge.img+9
  • sbhatiaVaulter
  • Vaulter
  • Answer
  • July 17, 2025

Hi Mani, 

Steps that you can try:

1. Enable Immutability (WORM) on Disk Library
Open Commvault Command Center.
Go to Storage > Disk.
Select your disk library (e.g., /data/commvault/disklib).
On the Configuration tab, locate the WORM section.
Toggle WORM storage lock to enable it.
Set the Retention period (this defines how long data remains immutable).
Confirm any prompts as required.
Save the settings.

Note: Immutability can’t be removed or retention shortened once enabled. Plan retention carefully.

2. Enable Ransomware Protection on Media Agent (Linux)
SSH into your Media Agent server.
Stop Commvault services: commvault stop
Change directory to MediaAgent installation: cd /opt/commvault/MediaAgent64
Enable protection using: ./cvsecurity.py enable_protection -i Instance001
Reboot the server.

3. Additional Verification (if Needed)
After reboot, if protection still appears disabled:
./cvsecurity.py protect_meta_data -i Instance001

./cvsecurity.py restart_cv_services -i Instance001

Check in Command Center under MediaAgent Properties that ransomware protection now shows as enabled.

Lukas3D
Terms & ConditionsCookie settingsAccessibility statement