Solved

What is a "suspicious file"?

  • 23 November 2021
  • 9 replies
  • 3380 views

Badge +1

We are running 11.23 and are now suddenly getting the event 7:269 - “A suspicious file [<String>] is detected on the machine [<String>]. Please alert your administrator.”

The files in question are all OK, as far as we can see.

Does anyone know why a file might be considered suspicious?

 

icon

Best answer by DMCVault 23 November 2021, 16:25

View original

9 replies

Userlevel 7
Badge +15

Hi @Gulo 

Thanks for the question and welcome to the Community!

This new event was introduced from 11.23 onwards.

Please take a look at Monitoring File Anomalies On Client Computers.

Whilst this covers file anomalies, the principles are similar.

Method 1: Monitoring the Honeypot File

Commvault software automatically detects the presence of Ransomware on your client computers using the honeypot file method. Ransomware typically attacks user files such as office documents, media files, etc. Honeypot file placed by Commvault mimics this user document and baits ransomware into encrypting this file. The ransomware check happens once every 4 hours.

 

Method 2: Detecting File Anomalies On Client Computers

Note: Anomaly detection can be enabled on virtualized environments by installing the base Windows file system restore-only client in the virtual machine guest host. For more information, see Installation of Restore Only Agents.

A large number of files being created, deleted, modified, or renamed on your client computer can be due to the presence of Ransomware malware. These activities are monitored by default. Configure the File Activity Anomaly Alert to receive alerts when abnormal activities are detected.

File activities on the client computer are checked every 5 minutes and any abnormal activity is reported to the administrator by an alert and event. For the first 7 days, the client computer is monitored and analyzed for day to day activity. After 7 days, a base line of file activities is established and alerts and events are sent to the administrator when a large number of abnormal file activities are detected.

Up to 30 days of file activities are maintained in a database (Folderwatcher.db) on the client computer for use by the monitoring algorithm.

To view the File Activity Anomaly Report using the Command Center, see File Activity Anomaly Report.

 

The idea is to try and provide an early warning of suspicious files that can be checked so potentially malicious items can be found and dealt with quickly.

Thanks,

Stuart

Badge +1

Thank you, Stewart,

This message doesn’t seems to be an anomaly as it is only recorded as an event and do not appear in the anomaly dashboard. The message is like this:

“A suspicious file [E:\TOP\test_integration\node_modules\node-ipc\local-node-ipc-certs\private\client.key] is detected on the machine [...]. Please alert your administrator.”

I cannot see an explanation for this message in the documentation.

 

Thanks,
Gunnar

 

Userlevel 5
Badge +8

@Gulo 

This is a feature we have been quietly incubating and tuning over the last couple feature releases.  In 1123 it is only an event - but we have since integrated this into the standard file anomaly alert in 1125+ and added to the security dashboard.

This feature monitors for suspicious files/extensions based on a IOC (indicators of compromise) dictionary list.  This isn't hooked to any antivirus application - so it is intended to provide insights for further investigation.

Ill check to make sure the docs are covered.

 

Userlevel 7
Badge +23

Moved new question to its own thread:

 

Userlevel 7
Badge +19

I really hope this "feature” will get more attention in the future to reduce the false positives and impact on load! We already opened a few tickets around this feature. I would like to make the suggestion to introduce a feature that allows customers to submit a false positive. I assume there is an AI model that has to be trained to make it beter and more accurate but having to open up tickets to feed it seems a bit to much asked. 

In addition I would prefer to have more control over this feature by having the possibility to configure file probes. Currently the honeypot is located in the software folder of Commvault but in most cases the application/user data is not located over there. So being able to setup probes customers will have more control and it can help to make this feature more accurate and less noisy when it comes to alerting. 

Userlevel 7
Badge +23

Adding the best man to answer this: @DMCVault 

Badge +1

@Gulo

This feature monitors for suspicious files/extensions based on a IOC (indicators of compromise) dictionary list.  This isn't hooked to any antivirus application - so it is intended to provide insights for further investigation.

Ill check to make sure the docs are covered.

 

Hi @DMCVault , is it possible to add an extension to be exclude from the monitor?

Badge +4

Apologies for resurrecting an old thread, but has there been any progress made on adding exclusions or tuning this a bit more to prevent false positives? We’ve been getting inundated with alerts which is making our Ops team to go nuts trying to work with server owners to determine if it’s truly suspicious.

We’re currently on 11.25 and plan on upgrading to 2022E in a month or so.

Userlevel 7
Badge +19

@Frank Grimes I do not really think so…. As in upgrading to 2022e, well I would wait another month until it has received the official GA stamp. I would still like to see improvements on the honeypot implementation. The file anomaly feature is too noisy and return false positives. Customer do not look at it because until now they have only seen false positives. 

Reply