Ransomware Disklibrary

  • 24 August 2022
  • 4 replies

Userlevel 2
Badge +12

Hi All,


we had an internal discussion for new customers what Library is the best way. Often we are running Windows Cluster withs csv volumes or windows filecluster or single servers with san attached storage. 


In the past there are a lot of problems with the ransomware on CSV an Filecluster. 


Do you have some more information wich way should be good or better to prevent redirected I/O in cluster and also errors during maintanance ? 


Also is there any possibility to check if the ransomware protection is working on a CSV / Windows file cluster ? Sure the option is set but did we had an option to test if its working ? 

4 replies

Userlevel 7
Badge +23

@SSchmidt , I converted this to a conversation to allow for continued input (without having it marked as ‘solved’).

I’m sure @Jos Meijer , @Onno van den Berg , and more have plenty of input here!

Userlevel 7
Badge +19

Last time I/we used a disk library was 7 years ago… Everything we do leverages a cloud library as a target. We are using Cloudian Hyperstore and we are as we speaking looking into adding a fast recovery tier which should leverage SSDs. We're looking into FlashBlade/S, StorageGrid and Cloudian appliances.

Nice thing about cloud storage is that it is much less vulnerable when it comes to ransomware and in most cases the solutions themselves offer addition protection layers through immutable snapshots and features like object-lock. Sharing buckets with multiple MAs is easy and mitigates issues during maintenance. 

Coming back to your question. I think it all drawls back to requirements and budget. I would personally consider adding a fast recovery tier these days but this of course depends on the size of the environment. To reduce cost I would use this only for production workloads just to make sure you can live up the RTO promise when ransomware hits you. Your second tier would than, from a performance perspective, become less important and would be an archive/compliance tier. My preference is a cloud library target but this means less solutions/vendor to choose from, so for disk libraries why not something based on file instead of block? No need for CSV and is easier to implement. We are using systems from Tintri https://tintri.com/products/intelliflash/ super fast and pretty cost efficient. 


Userlevel 6
Badge +18

Also is there any possibility to check if the ransomware protection is working on a CSV / Windows file cluster ? Sure the option is set but did we had an option to test if its working ? 

In my lab, I use cut/paste to try moving a V folder from the disk library, and get rejected.

Note:  I use cut/paste instead of delete, in case it works, so I can put the V folder back.  :)


Userlevel 7
Badge +17

I have no doubt that ransomware protection will work, as long as the binaries can reach the storage location via the OS.


Ransomware quote documentation: “MediaAgents on Cluster Shared Volumes (CSV) are supported from 11.20 with maintenance release 11.20.42 and higher releases.”


The question though in my opinion is, what goals do you want to achieve.

Are you looking for certain flexibility, certain performance, certain manageability options.
Or are your only concerns currently related to redirected I/O and errors during maintenance? 

Additionally it is important what your infrastructure can provide or what you are willing to provide to the infrastructure. Based on your current setup I assume you have a LAN oriented infrastructure and not Fiber Channel for instance. What kind of interfaces do your media agents have.

Also not to forget, what is your business policy, depending on security requirements or IT guidelines you may or may not be able to use Cloud libraries as @Onno van den Berg mentioned.

There are loads of options to choose from and all depends on context.
Can you elaborate on your goals?