Release notes
Respond to abnormal activity detected by ONTAP ARP
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
When Autonomous Ransomware Protection (ARP) detects abnormal activity in a protected volume, it issues a warning. You should evaluate the notification to determine whether the activity is acceptable (false positive) or whether an attack seems malicious. After you categorize the attack, you can clear the warning and notices about suspected files.
When ONTAP detects an abnormality, it also creates an ARP snapshot of the volume to create the best recovery point. ARP snapshots are retained for two to five days by default.
When you categorize an attack, these ARP snapshots are either deleted instantly (ONTAP 9.15.1 and earlier) or retained for an abbreviated period initiated by the categorization operation (ONTAP 9.16.1 and later).
|
Beginning with ONTAP 9.11.1, you can modify the retention settings for ARP snapshots. |
ARP displays a list of suspected files when it detects any combination of high data entropy, abnormal volume activity with data encryption, and unusual file extensions.
When the ARP warning is issued, respond by designating the file activity in one of two ways:
-
False positive
The identified file type is expected in your workload and can be ignored.
-
Potential ransomware attack
The identified file type is unexpected in your workload and should be treated as a potential attack.
In both cases, normal monitoring resumes after updating and clearing the notices. ARP records your evaluation to the threat assessment profile, using your choice to monitor subsequent file activities.
In the case of a suspected attack, you must determine whether it is an attack, respond to it if it is, and restore protected data before clearing the notices. Learn more about how to recover from a ransomware attack.
|
|
If you restore an entire volume, there are no notices to clear. |
ARP must be active and not in learning mode.
You can use System Manager or the ONTAP CLI to respond to abnormal activity.
-
When you receive an "abnormal activity" notification, follow the link. Alternately, navigate to the Security tab of the Volumes overview.
Warnings are displayed in the Overview pane of the Events menu.
-
When a message appears about the detection of abnormal volume activity, view the suspected file types.
In the Security tab, select the option to review the suspected file types.
-
In the Suspected File Types dialog box, examine each file type and mark it as either "False Positive" or "Potential Ransomware attack".
If you selected this value…
Take this action…
False Positive
-
Select Update and Clear Suspect File Types to record your decision.
Beginning with ONTAP 9.13.1, if you are using MAV to protect your ARP settings, the clear-suspect operation prompts you to obtain the approval of one or more additional administrators. Approval must be received from all administrators associated with the MAV approval group or the operation will fail. This action clears warning notices about suspected files. ARP then resumes normal monitoring of the volume. For ONTAP 9.15.1 and earlier, after you clear suspected file types the ARP snapshots are automatically deleted. For ARP/AI in ONTAP 9.16.1 and later, ARP snapshots are automatically deleted after an abbreviated retention period triggered by the categorization operation.
Potential Ransomware Attack
-
Respond to the attack and restore protected data.
-
Select Update and Clear Suspect File Types to record your decision and resume normal ARP monitoring.
This action clears the attack report. There are no suspected file type notices to clear if you restored an entire volume. For ONTAP 9.15.1 and earlier, after you restore a volume the ARP snapshots are automatically deleted. For ARP/AI in ONTAP 9.16.1 and later, ARP snapshots are automatically deleted after an abbreviated retention period triggered by the categorization operation.
-
-
When you receive a notification of a suspected ransomware attack, verify the time and severity of the attack:
security anti-ransomware volume show -vserver <svm_name> -volume <vol_name>CliSample output:
Vserver Name: vs0 Volume Name: vol1 State: enabled Attack Probability: moderate Attack Timeline: 9/14/2021 01:03:23 Number of Attacks: 1
You can also check EMS messages:
event log show -message-name callhome.arw.activity.seenCli -
Generate an attack report and note the output location:
security anti-ransomware volume attack generate-report -vserver <svm_name> -volume <vol_name> -dest-path <[svm_name:]vol_name/[sub-dir-name]>CliSample command:
security anti-ransomware volume attack generate-report -vserver vs0 -volume vol1 -dest-path vs0:vol1
Sample output:
Report "report_file_vs0_vol1_14-09-2021_01-21-08" available at path "vs0:vol1/"
-
View the report on an admin client system. For example:
cat report_file_vs0_vol1_14-09-2021_01-21-08
-
Take one of the following actions based on your evaluation of the file extensions:
-
False positive
Run the following command to record your decision, adding the new extension to the list of those allowed, and resume normal Autonomous Ransomware Protection monitoring:
anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> [<extension identifiers>] -false-positive trueCliUse the following optional parameter to identify only specific extensions as false positives:
-
[-extension <text>, … ]: File extensionsThis
clear-suspectoperation clears warning notices about suspected files. ARP then resumes normal monitoring of the volume. For ONTAP 9.15.1 and earlier, after you clear suspected file types the ARP snapshots are automatically deleted. For ARP/AI in ONTAP 9.16.1 and later, ARP snapshots are automatically deleted after an abbreviated retention period triggered by the categorization operation.
-
-
Potential ransomware attack
Respond to the attack and recover data from the ARP-created backup snapshot. After the data is recovered, run the following command to record your decision and resume normal ARP monitoring:
anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> [<extension identifiers>] -false-positive falseCliUse the following optional parameter to identify only specific extensions as potential ransomware:
-
[-extension <text>, … ]: File extensionThis
clear-suspectoperation clears the attack report. There are no suspected file type notices to clear if you restored an entire volume. For ONTAP 9.15.1 and earlier, after you restore a volume the ARP snapshots are automatically deleted. For ARP/AI in ONTAP 9.16.1 and later, ARP snapshots are automatically deleted after an abbreviated retention period triggered by the categorization operation.
-
-
-
If you are using MAV and an expected
clear-suspectoperation needs additional approvals, each MAV group approver must:-
Show the request:
security multi-admin-verify request showCli -
Approve the request to resume normal anti-ransomware monitoring:
security multi-admin-verify request approve -index[<number returned from show request>]CliThe response for the last group approver indicates that the volume has been modified and a false positive is recorded.
-
-
If you are using MAV and you are a MAV group approver, you can also reject a clear-suspect request:
security multi-admin-verify request veto -index[<number returned from show request>]Cli
