security anti-ransomware volume attack-detection-parameters show
Show anti-ransomware volume attack detection parameters
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The security anti-ransomware volume attack-detection-parameters show
command displays attack detection parameter details of an anti-ransomware enabled volume.
Parameters
- {
[-fields <fieldname>,…]
-
If you specify the
-fields <fieldname>, …
parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify. - |
[-instance ]
} -
If you specify the
-instance
parameter, the command displays detailed information about all fields. -vserver <Vserver Name>
- Vserver Name-
This parameter specifies the Vserver of the anti-ransomware enabled volume.
-volume <volume name>
- Volume Name-
This parameter specifies the anti-ransomware enabled volume for which the attack detection parameters need to be displayed.
[-based-on-high-entropy-data-rate {true|false}]
- High Entropy Data Rate at Volume Level-
This parameter displays whether ransomware detection is based on a high entropy data rate at the volume level. Ransomware detection is also done based on high entropy data rate at the file level and this method of detection is always enabled and has no dependency on this parameter.
[-based-on-never-seen-before-file-extension {true|false}]
- Never Seen before File Extension-
This parameter indicates whether ransomware detection is based on new file types not seen before at the volume level. This detection method is based only on the file extension not on file entropy. Some variants of ransomware modify the data such that the file entropy remains unchanged. This method helps in detecting those ransomwares but there is a possibility of false positives. Note that ransomware detection is also done based on combined file extension and file entropy and this method of detection is always enabled and has no dependency on this parameter.
[-based-on-file-create-rate {true|false}]
- Is Based on File Create Operation Rate-
This parameter displays whether ransomware detection is based on the file create rate at the volume level. If this is true and the number of files created per timeslot surges by
-file-create-rate-surge-notify-percentage
percentage compared to the historically observed value, then it is considered an attack. [-based-on-file-rename-rate {true|false}]
- Is Based on File Rename Operation Rate-
This parameter displays whether ransomware detection is based on the file rename rate at the volume level. If this is true and the number of files renamed per timeslot surges by
-file-rename-rate-surge-notify-percentage
percentage compared to the historically observed value, then it is considered an attack. [-based-on-file-delete-rate {true|false}]
- Is Based on File Delete Operation Rate-
This parameter displays whether ransomware detection is based on the file delete rate at the volume level. If this is true and the number of files deleted per timeslot surges by
-file-delete-rate-surge-notify-percentage
percentage compared to the historically observed value, then it is considered an attack. [-relaxing-popular-file-extensions {true|false}]
- Is Relaxing Popular File Extensions-
This parameter displays whether ransomware detection is based on commonly used extensions. If true, then a predetermined commonly used extension, such as .mp3, is considered safe. If false, only those file extensions observed during the dry run state are considered safe; any extension not observed during the dry-run state but observed later is suspected as a ransomware attack, even if it is a commonly used extension.
[-high-entropy-data-surge-notify-percentage <integer>]
- High Entropy Data Surge Notify Percentage-
This parameter displays the surge value that is considered safe in the overall incoming data at the volume level.
[-file-create-rate-surge-notify-percentage <integer>]
- File Create Operation Rate Surge Notify Percentage-
This parameter displays the surge rate that is considered safe for file create operations at the volume level.
[-file-delete-rate-surge-notify-percentage <integer>]
- File Delete Operation Rate Surge Notify Percentage-
This parameter displays the surge rate that is considered safe for file delete operations at the volume level.
[-file-rename-rate-surge-notify-percentage <integer>]
- File Rename Operation Rate Surge Notify Percentage-
This parameter displays the surge rate that is considered safe for file rename operations at the volume level.
[-never-seen-before-file-extn-count-notify-threshold <integer>]
- Never Seen before File Extension Count Notify Threshold-
This parameter displays the threshold value of new file extensions not seen before for create/rename operations.
[-never-seen-before-file-extn-duration-in-hours <integer>]
- Never Seen before File Extension Duration in Hours-
This parameter displays the duration for new file extensions not seen before, in hours. If a new file extension is observed and
-never-seen-before-file-extn-count-notify-threshold
number of files are created/renamed with this new file extension for this duration, then it is reported as an attack.
Examples
The following example displays attack detection parameter information of a volume.
cluster1::> security anti-ransomware volume attack-detection-parameters show -vserver vs1 -volume vol1 Vserver Name : vs1 Volume Name : vol1 Is Detection Based on High Entropy Data Rate? : true Is Detection Based on Never Seen before File Extension? : true Is Detection Based on File Create Rate? : true Is Detection Based on File Rename Rate? : true Is Detection Based on File Delete Rate? : true Is Detection Relaxing Popular File Extensions? : true High Entropy Data Surge Notify Percentage : 100 File Create Rate Surge Notify Percentage : 100 File Rename Rate Surge Notify Percentage : 100 File Delete Rate Surge Notify Percentage : 100 Never Seen before File Extensions Count Notify Threshold : 20 Never Seen before File Extensions Duration in Hour : 24