Skip to main content

Respond to abnormal activity detected by ONTAP ARP

Contributors netapp-dbagwell netapp-ahibbard netapp-aherbin netapp-forry netapp-aaron-holt netapp-thomi
PDFs

When Autonomous Ransomware Protection (ARP) detects abnormal activity in a protected volume, it issues a warning. You should evaluate the notification to determine whether the activity is acceptable (false positive) or whether an attack seems malicious. After you categorize the attack, you can clear the warning and notices about abnormal activity.

When you categorize an attack, ARP snapshots are either retained for an abbreviated period initiated by the categorization operation (ONTAP 9.16.1 and later), or deleted instantly when you clear the suspected event (ONTAP 9.15.1 and earlier).

Note Beginning with ONTAP 9.11.1, you can modify the retention settings for ARP snapshots.
About this task

For NAS volumes, ARP displays a list of suspected files when it detects any combination of high data entropy, abnormal volume activity with data encryption, and unusual file extensions.

Beginning with ONTAP 9.17.1:

  • For NAS volumes: ARP continues to provide suspected files and file types.

  • For SAN volumes (volumes that contain LUNs or NVMe namespaces): ARP evaluates entropy at the volume level only. ONTAP does not see individual files inside the LUN or namespace, so suspected file lists and file types are not available. Instead, ARP reports volume-level spikes in encryption percentage (entropy spikes).

Details of entropy spikes for both NAS and SAN volumes are reported on the Anti-ransomware page in System Manager.

When an ARP warning notification is issued, respond by designating the activity in one of two ways:

  • False positive

    The identified file type or entropy spike is expected in your workload and can be ignored.

  • Potential ransomware attack

    The identified file type or entropy spike is unexpected in your workload and should be treated as a potential attack.

Normal monitoring resumes after you update with your decision and clear the ARP notifications. ARP records your evaluation to the threat assessment profile, using your choice to monitor subsequent file activities.

In the case of a suspected attack, you must determine whether it is an attack, respond to it if it is, and then clear notices and restore data in the order required by your recovery method and ONTAP version. Learn more about how to recover from a ransomware attack.

Before you begin

ARP must be actively protecting a volume and not in a learning or evaluation mode.

Steps

Follow these steps when you need to classify abnormal activity:

  1. Review abnormal activity details

  2. Understand snapshot behavior and approvals when you clear a suspected event

  3. Do one of the following:

If you need to restore data, you'll use the steps in Restore data from ONTAP ARP snapshots after a ransomware attack.

Review abnormal activity details

You can use System Manager or the ONTAP CLI to review ARP warning details before choosing a response flow.

System Manager

  1. When you receive an "abnormal activity" notification, follow the link. Alternatively, navigate to Storage > Volumes, find an affected volume, and select the Security tab.

    Warnings are displayed in the System Manager dashboard Overview pane of the Events menu.

  2. In the Security tab, review the abnormal activity details:

    • For NAS volumes, review the Suspected file types report. A Suspected File Types dialog box shows the file extensions and file counts that ARP has identified.

    • For both NAS and SAN volumes, review the entropy spike report, which shows the time window, duration, amount of data written, and entropy values.

CLI

  1. When you receive a notification of a suspected ransomware attack, verify the time and severity of the attack:

    security anti-ransomware volume show -vserver <svm_name> -volume <vol_name>

    Sample output:

    Vserver Name: vs0
Volume Name: vol1
State: enabled
Attack Probability: moderate
Attack Timeline: 5/12/2025 01:03:23
Number of Attacks: 1
Attack Detected By: encryption_percentage_analysis

    You can also check EMS messages:

    event log show -message-name callhome.arw.activity.seen

  2. (Optional, NAS and SAN) View recent entropy spikes detected on the volume:

    security anti-ransomware volume entropy-stat show-recent-high-encryption-stat -vserver <svm_name> -volume <vol_name>

    This command summarizes time windows where ONTAP detected a high encryption percentage (entropy spike). It applies to both NAS and SAN volumes.

  3. (Optional) View a histogram of encryption percentage over time:

    security anti-ransomware volume entropy-stat show-encryption-percentage-histogram -vserver <svm_name> -volume <vol_name>

Understand snapshot behavior and approvals when you clear a suspected event

  • For volume snapshot restore in ONTAP 9.16.1 and later, clear the suspected event first and then perform the restore. After you clear suspected files, ARP snapshots are retained based on how you categorize the activity: 7 days (by default) if you mark the activity as a potential ransomware attack, or 24 hours if you mark it as a false positive. Clearing first does not remove your restore target. Additionally, the clear-suspect option becomes unavailable after a volume restore, so you must clear before restoring.

  • For volume snapshot restore in ONTAP 9.15.1 and earlier, perform the restore first and then clear the suspected event. ARP snapshots are deleted immediately when you clear suspected files, so you must complete the restore before clearing to avoid losing the snapshot before the restore operation can run.

  • For recovery methods other than volume snapshot restore (for example, FlexClone or single-file SnapRestore), perform data recovery first and then clear the suspected event. These methods do not affect the availability of the clear-suspect option.

  • Beginning with ONTAP 9.13.1, if you use MAV to protect ARP settings, the clear-suspect operation can require additional approvals. Approval must be received from all administrators associated with the MAV approval group or the operation will fail.

Classify as false positive and resume monitoring

Use this flow when the identified file type or entropy spike is expected for the workload.

System Manager

  1. Record your response:

    • For NAS file type warnings, choose the affected files, select Mark as false positive, and then choose Update and Clear Suspected File Types.

    • For entropy spikes (NAS and SAN), select Mark as false positive, and then select Save and dismiss.

These actions clear warning notices about suspected files (NAS) or abnormal activity (NAS and SAN). ARP then resumes normal monitoring of the volume.

CLI

  1. Run one of the following commands to record your decision and resume normal Autonomous Ransomware Protection monitoring:

    • For NAS file extensions:

      security anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> [<extension_identifiers>] -false-positive true

      Use the following optional parameter to identify only specific extensions as false positives: [-extension <text>, …​ ]

    • For entropy spikes (NAS and SAN):

      security anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> -start-time <MM/DD/YYYY HH:MM:SS> -end-time <MM/DD/YYYY HH:MM:SS> -false-positive true

      For SAN volumes, this is the only supported way to categorize abnormal activity; there are no suspected file lists or file extensions.

  2. Beginning in ONTAP 9.18.1, you can determine the status of the clear-suspect operation:

    security anti-ransomware volume show -clear-suspect-status -volume <vol_name> -vserver <svm_name>

Classify as potential ransomware attack and recover data

Use this flow when the identified file type or entropy spike is unexpected for the workload.

System Manager

  1. Classify the activity:

    • For NAS file type warnings, mark selected files as Potential ransomware attack.

    • For entropy spikes (NAS and SAN), select Mark as potential ransomware attack.

  2. Before you recover data, you should consider your recovery method options. Then do one of the following:

    • If you plan to restore a volume with ONTAP 9.16.1 and later: Clear notices, then restore the volume:

      1. Clear notices for the potential attack:

        • For NAS file type warnings, select Update and Clear Suspected File Types.

        • For entropy spikes (NAS and SAN), select Save and dismiss.

          Note After you clear suspect files, the ARP snapshot is retained for 7 days (by default). If you need more time for data recovery, adjust ARP snapshot settings to increase the retention time of the snapshot to the desired value. After all the data recovery is done, you can decrease the retention time.

      2. Recover data by using the most recent ARP snapshot or an earlier snapshot.

    • If you plan to restore a volume with ONTAP 9.15.1 and earlier: Restore the volume, then clear notices:

      1. Recover data by using the most recent ARP snapshot or an earlier snapshot.

      2. Finalize the categorization after data restoration to resume normal ARP monitoring:

        • For NAS file type warnings, select Update and Clear Suspected File Types.

        • For entropy spikes (NAS and SAN), select Save and dismiss.

    • If you plan to use another restore method: Restore the data first, then clear notices:

      1. Recover data using FlexClone or single-file SnapRestore.

      2. Finalize the categorization after data restoration to resume normal ARP monitoring:

        • For NAS file type warnings, select Update and Clear Suspected File Types.

        • For entropy spikes (NAS and SAN), select Save and dismiss.

          Note Recording your decision clears the attack report.
CLI

  1. (NAS volumes only) Create an attack report:

    1. Generate an attack report and specify where to save it.

      security anti-ransomware volume attack generate-report -vserver <svm_name> -volume <vol_name> -dest-path <[svm_name]:[junction_path/sub_dir_name]>

      Sample command:

      security anti-ransomware volume attack generate-report -vserver vs0 -volume vol1 -dest-path vs0:vol1

      Sample output:

      Report "report_file_vs0_vol1_14-09-2021_01-21-08" available at path "vs0:vol1/"

    2. View the report on an admin client system. For example:

      cat report_file_vs0_vol1_14-09-2021_01-21-08
      Note This command is not supported on volumes that contain LUNs or NVMe namespaces (SAN workloads).

  2. Choose a recovery method. Then do one of the following:

    • If you plan to use volume snapshot restore: Follow the release-specific sequence:

      • ONTAP 9.16.1 and later: Clear the attack first, then run volume snapshot restore:

        1. Run one of the following commands to clear the suspected files:

          • For NAS file extensions:

            security anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> [<extension identifiers>] -false-positive false

            Use the following optional parameter to identify only specific extensions as potential ransomware: [-extension <text>, …​ ]

          • For entropy spikes (NAS and SAN):

            security anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> -start-time <MM/DD/YYYY HH:MM:SS> -end-time <MM/DD/YYYY HH:MM:SS> -false-positive false

            For SAN volumes, use this command to confirm the attack before recovery. This updates the ARP threat assessment for the SAN workload.

        2. Recover data by using a recent ARP snapshot or an earlier snapshot.

      • ONTAP 9.15.1 and earlier: Run volume snapshot restore first, then clear the attack:

        1. Recover data by using a recent ARP snapshot or an earlier snapshot.

        2. Run one of the following commands to clear the suspected files:

          • For NAS file extensions:

            security anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> [<extension identifiers>] -false-positive false

            Use the following optional parameter to identify only specific extensions as potential ransomware: [-extension <text>, …​ ]

          • For entropy spikes (NAS and SAN):

            security anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> -start-time <MM/DD/YYYY HH:MM:SS> -end-time <MM/DD/YYYY HH:MM:SS> -false-positive false

            For SAN volumes, use this command to confirm the attack after recovery. This updates the ARP threat assessment for the SAN workload.

    • If you plan to use other recovery methods: Restore the data first, then clear the attack:

      1. Recover data by using FlexClone or single-file SnapRestore.

      2. Run one of the following commands to clear the suspected files:

        • For NAS file extensions:

          security anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> [<extension identifiers>] -false-positive false

          Use the following optional parameter to identify only specific extensions as potential ransomware: [-extension <text>, …​ ]

        • For entropy spikes (NAS and SAN):

          security anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> -start-time <MM/DD/YYYY HH:MM:SS> -end-time <MM/DD/YYYY HH:MM:SS> -false-positive false

          For SAN volumes, use this command to confirm the attack after recovery. This updates the ARP threat assessment for the SAN workload.

  3. Beginning in ONTAP 9.18.1, you can determine the status of the clear-suspect operation:

    security anti-ransomware volume show -clear-suspect-status -volume <vol_name> -vserver <svm_name>

Multi-admin verification options

If you are using multi-admin verification (MAV) and an expected clear-suspect operation needs additional approvals, each MAV group approver must:

  1. Show the request:

    security multi-admin-verify request show

  2. Approve the request to resume normal anti-ransomware monitoring:

    security multi-admin-verify request approve -index[<number returned from show request>]

    The response for the last group approver indicates that the volume has been modified and a false positive is recorded.

If you are using MAV and you are a MAV group approver, you can also reject a clear-suspect request:

security multi-admin-verify request veto -index[<number returned from show request>]
Related information