There are a few different techniques that CV uses to protect your backup data from ransonware, and to alert if we suspect that a client has been infected by ransomware.
Method 1 is used to lock down your backup disklibrary mount paths, to ensure that only Commvault processes have write permissions.
Method 2 places a hidden file on your system, that expects never to be found and written to by users. We poll scans of this file to see if the file has been modified. If we detect that it has, we send an alert to Commvault admins of potential ransomware.
Method 3 monitors the backup activity of your clients. If we detech that there has been a high volume of unusal file change, we send an alert for potential infection to Commvault admins.
Please let me know if this answers your question.