Commvault

Detection

Quick Links to Topics:

Credits:

Great thanks to Mike Byrne for his hard work with the screen captures!

Commvault® software includes built-in coded mechanisms that can be enabled to monitor clients and detect potential ransomware attacks. Once an attack is detected, an event is triggered in the Event Viewer, and an alert notification can optionally be configured to notify administrators to react as quickly as possible.

A workflow could be created to be used by the alert to take the infected system offline, to stop the spread.

The mechanisms offered to monitor the client are as follows:

  • Using 'honey pot' files
  • File activity anomaly detection

'Honey Pot' Monitoring

This colorful name explains exactly how this method works. When enabled, Commvault® software creates .xls files that will act as decoys. These files are monitored and when a malware encrypts and modifies it, it triggers the event in the CommCell® and can trigger an alert to notify users. The frequency in minutes for the ransomware check is defined by the administrator.

This monitoring method is enabled via an additional setting that is pushed to client systems. The setting can be applied to a client, or a client computer group in the CommCell Console. The check frequency value is set in minutes.




To enable ‘honey pot’ ransomware checks

1 - Right-click the desired client computer or client computer group | Properties.

2 - Click to the Advanced options to configure ‘honey pot’ ransomware checks.



3 - Click to add a new setting.

4 - Lookup for the nTimer_CheckForRansomware setting.

5 - Set a check frequency in minutes.

6 - Click to save the setting.



7 - The new setting is added to the list.

8 - Click OK to push out the setting to the client.



9 - The decoy file is created on the client and monitored at set frequency.



File Activity Anomaly Detection

The second method that can be used to monitor for ransomware attacks is using file handling pattern. Once enabled, the client server is monitored for seven days, during which information is collected on file access, creation, modification, and rename. After the seven days' worth of information is collected, Commvault® software monitors for atypical file operations. For instance, an exceptionally large number of files being renamed will trigger the alert. The ransomware check is executed every five minutes.

Optionally, a report named File Activity Anomaly Report can be viewed from the Reports section of the Commvault Command CenterTM.




The File Activity Anomaly report

1 - The File Activity Anomaly report provides information about suspicious activity such as massive file rename or modification.


To enable file activity anomaly detection

1 - Right-click the desired client computer or client computer group | Properties.

2 - Click to display the advanced options.



3 - Click to add a new setting.

4 - Lookup for the EnableFileIOMonitor setting.

5 - Enable it by setting a value of 1.

6 - Click to save the setting.



7 - The new setting is added to the list.

8 - Click OK to push out the setting to the client.


Copyright © 2021 Commvault | All Rights Reserved.