File Activity Anomaly Report

Last post 05-26-2020, 8:04 AM by ddwyer. 23 replies.
Sort Posts: Previous Next
  • File Activity Anomaly Report
    Posted: 04-03-2020, 6:21 AM

    I activated the File Activity Anomaly Report a couple of months ago and strangely I receive reports from 17 Microsoft FileServers every Saturday morning from one particular domain (which accounts for about of half of the servers (all running the same software) - these are a mixture of 2008, 2012 & 2016 Windows OS). I've subsequently used CVIOMonitor.log in an attempt to troubleshoot however when viewing the properties of identified files they are displaying that each file was last amended in 2014. All of the servers are running Kaspersky AV and I can locate a limited number of 4670 – permissions on an object were changed’ entries in some of the server event logs (but not all).

    I really don't want to have to disable this feature on these servers as the Alerts is obviously attempting to tell me something but I'm unable to validate the accuracy of the reports.

  • Re: File Activity Anomaly Report
    Posted: 04-03-2020, 9:44 AM

    Hi Gateshead,

    Is it possible to escalate this case so that we can check what is the issue here? We monitor the activity on the machine and alert when we see an abnormal activity on the machine. We would like to see why there is any abnormal activity happening. It will be easy if you can escalate the case and we can debug the issue

     

    Thanks,

    Karthik

  • Re: File Activity Anomaly Report
    Posted: 04-03-2020, 10:23 AM

    Hi Gateshead,

    Is it possible to escalate this case so that we can check what is the issue here? We monitor the activity on the machine and alert when we see an abnormal activity on the machine. We would like to see why there is any abnormal activity happening. It will be easy if you can escalate the case and we can debug the issue

     

    Thanks,

    Karthik

  • Re: File Activity Anomaly Report
    Posted: 04-16-2020, 5:33 PM

    Alas some two weeks after raising Incident 200406-145 not much progress had been made. So this afternoon, in order to make some progress, I arranged for Kaspersky FULL scans to be manually ran on all problematic windows file-servers and the File Anomaly Alerts duly triggered. So, I now know that Kaspersky is triggering false positive Alerts. The question is how do I reconfigure CommVault and/or Kapersky to work together in perfect harmony? I don't want to deactivate the honeypot as this will reduce Ransomware protection.   

  • Re: File Activity Anomaly Report
    Posted: 04-16-2020, 6:38 PM

    Hi Gateshead,

     

    Can you provide us the log files from the machine which triggered anomaly to check what could have happened here?

     

    Thanks,

    Karthik

  • Re: File Activity Anomaly Report
    Posted: 04-17-2020, 4:55 AM

    Appreciated Karthik,

    I've just generated and uploaded a new "send log files" in respect of one of the iDAs which Alerted yesterday.

    Stay safe

  • Re: File Activity Anomaly Report
    Posted: 04-21-2020, 3:40 AM

    Still no response to the escallated ticket in spite of several 'chases'. I know that some allowances have to be made for COVID-19 however customer service is not currently very impressive.  

  • Re: File Activity Anomaly Report
    Posted: 04-21-2020, 12:44 PM

    I just had a conversation with the now owning Tier2 and they will be escalating this case to our Engineering team. They do require a few additional items for which they replied within the case. The previous engineer has been in and out of the office so I can understand your frustrations. You always have the option of getting your case rerouted through our support frontline team or you always have the option of Field Escalating the case if you feel the traction isn't there for you. Our Support Management team will review and handle your case appropriately from there.

  • Re: File Activity Anomaly Report
    Posted: 05-01-2020, 8:59 AM

    Procmon has established that when running a Kaspersky AV scan the file attributes are being amended  which results both in an Alert being triggered and the Backup job taking longer as there are more changed files to safeguard. I will have to arrange for a Kaspersky ticket to be opened as I presume there must already be a solution to this issue out there.

  • Re: File Activity Anomaly Report
    Posted: 05-05-2020, 4:30 PM

    So armed with the procmon proof that Kaspersky was changing both the timestamps and attributes on scanned files, the Domain Administrator logged a support ticket with Kaspersky. The outcome is that Kaspersky are claiming that it is "normal practice for a scan to do that". Kaspersky appear to be trying to pass the buck back to CommVault but the File Activity Anomaly Alert is functioning as expected as far as I am concerned. How do I get Kaspersky to reconsider?

  • Re: File Activity Anomaly Report
    Posted: 05-05-2020, 5:23 PM

    Hi,

     

    I dont think this is the right way for an antivirus to change the timestaps on a file. This will affect the backups as well since backups depend on modifications time of a file and if that changes, there is a chance that we could skip files from backup or backup extra data. The anomaly report is also pointing to the same that there is some aomaly happening on the machine. I dont think Commvault can do anything here unless the antivirus fixes itself to not modify the timestamp.

     

    Thanks,

    Karthik

  • Re: File Activity Anomaly Report
    Posted: 05-05-2020, 5:29 PM

    Hi,

     

    I dont think this is the right way for an antivirus to change the timestaps on a file. This will affect the backups as well since backups depend on modifications time of a file and if that changes, there is a chance that we could skip files from backup or backup extra data. The anomaly report is also pointing to the same that there is some aomaly happening on the machine. I dont think Commvault can do anything here unless the antivirus fixes itself to not modify the timestamp.

     

    Thanks,

    Karthik

  • Re: File Activity Anomaly Report
    Posted: 05-06-2020, 9:59 AM

    don't confuse the honeypot feature with the file change detection. One is a dummy xls sheet in iDataAgent Folder that only triggers alarm if the file content is tampered with (changing access date doesn't trigger alarms on our cells). the other relates to FolderWatcher.db (in contentstore/base for all the places) that monitors changes regularly and attempts to make intelligent deductions. We had to disable the latter part on our file-servers because the database file doesn't seem to have reliable cleanup routine and threatened to fill up the OS-Disk.

  • Re: File Activity Anomaly Report
    Posted: 05-06-2020, 1:28 PM

    Hi,

    We have fixed some issues with the pruning logic recently. Which service pack are you currently in. We can provide the update fpr the same.

     

    Thanks,

    Karthik 

  • Re: File Activity Anomaly Report
    Posted: 05-06-2020, 1:49 PM
    SP18.15
  • Re: File Activity Anomaly Report
    Posted: 05-06-2020, 3:21 PM

    Hi,

    Can you update the client to the latest SP18 hotfix pack which has the fix for the DB size issue you mentioned.

     

    Thanks,

    Karthik

  • Re: File Activity Anomaly Report
    Posted: 05-06-2020, 4:25 PM

    I'm running 11.19.6 throughout my CommCell. As it's not my Domain that is triggering (we use McAfee), I do not have direct access to Kaspersky support. I really want to challenge Kaspersky as it surely cannot be "normal practice" for the AV process to change the timestamp and attributes on scanned files. I've also tried to locate Kaspersky configuration documentation to see if this "normal practice" is referenced anywhere without success. It's doing my head in!

  • Re: File Activity Anomaly Report
    Posted: 05-07-2020, 2:46 AM
    which Hotfix or hotfixpack would that be? and where can i find further infos on how the cleanup works and can be configured?
    We run 7 CommCells with 5k+ Clients and rather restriction SLAs regarding downtimes. We can't and won't install every hotfix released by CV right away. Each Install so far spawned at least half a dozen to a dozen cases where something got broken or changed without being mentioned, taking months to be fixed again.
  • Re: File Activity Anomaly Report
    Posted: 05-07-2020, 12:28 PM

    Gateshead:

    I activated the File Activity Anomaly Report a couple of months ago and strangely I receive reports from 17 Microsoft FileServers every Saturday morning from one particular domain (which accounts for about of half of the servers (all running the same software) - these are a mixture of 2008, 2012 & 2016 Windows OS). I've subsequently used CVIOMonitor.log in an attempt to troubleshoot however when viewing the properties of identified files they are displaying that each file was last amended in 2014. All of the servers are running Kaspersky AV and I can locate a limited number of 4670 – permissions on an object were changed’ entries in some of the server event logs (but not all).

    I really don't want to have to disable this feature on these servers as the Alerts is obviously attempting to tell me something but I'm unable to validate the accuracy of the reports.

     

    I am recived everyday this alert. Can some one explain why?

    Alert: File Activity Anomaly Alert 

     Type: Operation - Event Viewer Events 

                   Detected Criteria: Event Viewer Events 

                   Detected Time: Wed May  6 23:39:22 2020 

                   CommCell: commserv 

     

                   Event ID: 2608456 

                   Monitoring Criteria: (Event Code equals to 7:211|7:212) 

                   Severity: Critical 

                   Event Date: Wed May  6 23:38:55 2020 

                   Program: CVD 

                   Client: XXXXXXXXXX 

                   Description: Detected file activity anomaly of type [Deleted ] in last 5 minutes. Number of files Modified [319] Deleted [99275] Renamed [346] and Created [219]. Please verify the data on the machine.  

     

  • Re: File Activity Anomaly Report
    Posted: 05-07-2020, 4:47 PM

    Hi,

    You can check the CVIOMonitor.log which tells on which folders we have seen the activity resulting in this anomaly alert. Looks like there are a lot of deletes happening on the machine causing the anomaly.

     

    Thanks,

    Karthik

  • Re: File Activity Anomaly Report
    Posted: 05-08-2020, 2:21 PM

    My report is always blank. I assume that is a good thing? :)

  • Re: File Activity Anomaly Report
    Posted: 05-26-2020, 4:11 AM

    Solution eventualy obtianed from Kaspersky Forums:

    •              Oleg Bykov 

    •              Kaspersky Employee

    To instruct KSWS to not mess with file times when doing the On-Demand scanning, add this value to the registry:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]

     

  • Re: File Activity Anomaly Report
    Posted: 05-26-2020, 4:12 AM

    Solution eventualy obtained from Kaspersky Forums:

    •              Oleg Bykov 

    •              Kaspersky Employee

    To instruct KSWS to not mess with file times when doing the On-Demand scanning, add this value to the registry:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]

     

  • Re: File Activity Anomaly Report
    Posted: 05-26-2020, 8:04 AM

    @H_Ali,

    What kind of server is it, just a Windows File Server?

    David

The content of the forums, threads and posts reflects the thoughts and opinions of each author, and does not represent the thoughts, opinions, plans or strategies of Commvault Systems, Inc. ("Commvault") and Commvault undertakes no obligation to update, correct or modify any statements made in this forum. Any and all third party links, statements, comments, or feedback posted to, or otherwise provided by this forum, thread or post are not affiliated with, nor endorsed by, Commvault.
Commvault, Commvault and logo, the “CV” logo, Commvault Systems, Solving Forward, SIM, Singular Information Management, Simpana, Commvault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor, Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, SnapProtect, ROMS, and CommValue, are trademarks or registered trademarks of Commvault Systems, Inc. All other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.
Close
Copyright © 2020 Commvault | All Rights Reserved. | Legal | Privacy Policy