File Activity Anomaly Alert - what triggers it?

Last post 01-21-2020, 7:12 PM by Anthony.Hodges. 1 replies.
Sort Posts: Previous Next
  • File Activity Anomaly Alert - what triggers it?
    Posted: 01-21-2020, 11:00 AM

    I have a question on what triggers the File Activity Anomaly Alert. I understand it builds 7 days of daily monitoring activity but other than the use of Codes 7:211 | 7:212 what sets off this alert? Is it a certain percentage of add, deleted, modified or renamed files or combo in the 5 minute period? I have been tasked with ascertaining the condition, whether it is percentage or file count that generates this alert.

    I cannot find an answer anywhere on what exactly triggers the alert.


  • Re: File Activity Anomaly Alert - what triggers it?
    Posted: 01-21-2020, 7:12 PM

    The File Activity Anomaly Alert appears to be calculated from results in either the Media Agent Index Data or in real-time via a Filter Driver (includes a Ransomware Detection Engine and File I/O Monitor).  The File I/O Monitor data is analysed by the Ransomware Detection Engine against I/O access patterns and Directory changing data to establish a baseline entropic value.  The percentage increases to trigger alerts by the Ransomware Detection Engine are publicly not disclosed, but it is my understanding that the formula is not as simple as a fixed percentage of I/O changes, rather an internal confidence score based off entropic changes in the file system with a heavy weighting towards certain types of I/O - like re-writes.  Because of the learning heuristic nature of the algorithm, re-testing on the same client is going to be tricky, so you may want to discuss the outcomes of your testing with support.

The content of the forums, threads and posts reflects the thoughts and opinions of each author, and does not represent the thoughts, opinions, plans or strategies of Commvault Systems, Inc. ("Commvault") and Commvault undertakes no obligation to update, correct or modify any statements made in this forum. Any and all third party links, statements, comments, or feedback posted to, or otherwise provided by this forum, thread or post are not affiliated with, nor endorsed by, Commvault.
Commvault, Commvault and logo, the “CV” logo, Commvault Systems, Solving Forward, SIM, Singular Information Management, Simpana, Commvault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor, Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, SnapProtect, ROMS, and CommValue, are trademarks or registered trademarks of Commvault Systems, Inc. All other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.
Copyright © 2020 Commvault | All Rights Reserved. | Legal | Privacy Policy