Respond to abnormal activity detected by ONTAP ARP

09/11/2025 Contributors

PDFs

When Autonomous Ransomware Protection (ARP) detects abnormal activity in a protected volume, it issues a warning. You should evaluate the notification to determine whether the activity is acceptable (false positive) or whether an attack seems malicious. After you categorize the attack, you can clear the warning and notices about suspected files.

When you categorize an attack, ARP snapshots are either retained for an abbreviated period initiated by the categorization operation (ONTAP 9.16.1 and later), or deleted instantly (ONTAP 9.15.1 and earlier).

Beginning with ONTAP 9.11.1, you can modify the retention settings for ARP snapshots.

About this task

ARP displays a list of suspected files when it detects any combination of high data entropy, abnormal volume activity with data encryption, and unusual file extensions. Beginning with ONTAP 9.17.1 for both NAS and SAN environments, details of entropy spikes are also reported on the Anti-ransomware page in System Manager.

When an ARP warning notification is issued, respond by designating the activity in one of two ways:

False positive

The identified file type or entropy spike is expected in your workload and can be ignored.
Potential ransomware attack

The identified file type or entropy spike is unexpected in your workload and should be treated as a potential attack.

Normal monitoring resumes after you update with your decision and clear the ARP notifications. ARP records your evaluation to the threat assessment profile, using your choice to monitor subsequent file activities.

In the case of a suspected attack, you must determine whether it is an attack, respond to it if it is, and restore protected data before clearing the notices. Learn more about how to recover from a ransomware attack.

If you restore an entire volume, there are no notices to clear.

Before you begin

ARP must be actively protecting a volume and not in a learning or evaluation mode.

Steps

You can use System Manager or the ONTAP CLI to respond to abnormal activity.

System Manager

When you receive an "abnormal activity" notification, follow the link. Alternatively, navigate to the Security tab of the Volumes overview.

Warnings are displayed in the Overview pane of the Events menu.
In the Security tab, review the suspected file types or entropy spikes report.
- For suspected files, examine each file type in the Suspected File Types dialog box and mark each individually.
- For entropy spikes, examine the entropy report.

Record your response:

If you select this value…

Take this action…

False Positive

Do one of the following:

For file type warnings, select Update and Clear Suspect File Types.

For entropy spikes, select Mark as false positive.

These actions clear warning notices about suspected files or activity. ARP then resumes normal monitoring of the volume. For ARP/AI in ONTAP 9.16.1 and later, ARP snapshots are automatically deleted after an abbreviated retention period triggered by the categorization operation. For ONTAP 9.15.1 and earlier, related ARP snapshots are automatically deleted after you clear suspected file types.

Beginning with ONTAP 9.13.1, if you are using MAV to protect your ARP settings, the clear-suspect operation prompts you to obtain the approval of one or more additional administrators. Approval must be received from all administrators associated with the MAV approval group or the operation will fail.

Potential Ransomware Attack

Respond to the attack:
- For file type warnings, mark selected files as Potential ransomware attack and restore protected data.
- For entropy spikes that indicate an attack, select Mark as potential ransomware attack and restore protected data.
After data restoration is complete, record your decision and resume normal ARP monitoring:
- For file type warnings, select Update and Clear Suspect File Types.
- For entropy spikes, select Mark as potential ransomware attack and select Save and dismiss.

There are no suspected file type notices to clear if you've restored an entire volume.

Recording your decision clears the attack report. For ARP/AI in ONTAP 9.16.1 and later, ARP snapshots are automatically deleted after an abbreviated retention period triggered by the categorization operation. For ONTAP 9.15.1 and earlier, after you restore a volume the ARP snapshots are automatically deleted.

CLI

When you receive a notification of a suspected ransomware attack, verify the time and severity of the attack:

security anti-ransomware volume show -vserver <svm_name> -volume <vol_name>

Sample output:

Vserver Name: vs0
Volume Name: vol1
State: enabled
Attack Probability: moderate
Attack Timeline: 5/12/2025 01:03:23
Number of Attacks: 1
Attack Detected By: encryption_percentage_analysis

You can also check EMS messages:

event log show -message-name callhome.arw.activity.seen

Generate an attack report and specify where to save it:

security anti-ransomware volume attack generate-report -vserver <svm_name> -volume <vol_name> -dest-path <[svm_name]:[junction_path/sub_dir_name]>

Sample command:

security anti-ransomware volume attack generate-report -vserver vs0 -volume vol1 -dest-path vs0:vol1

Sample output:

Report "report_file_vs0_vol1_14-09-2021_01-21-08" available at path "vs0:vol1/"

View the report on an admin client system. For example:
```
cat report_file_vs0_vol1_14-09-2021_01-21-08
```
Take one of the following actions based on your evaluation of the file extensions or entropy spikes:
- False positive
  
  Run one of the following commands to record your decision and resume normal Autonomous Ransomware Protection monitoring:
  - For file extensions:
    
    anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> [<extension_identifiers>] -false-positive true
    
    Use the following optional parameter to identify only specific extensions as false positives:
    
    [-extension <text>, … ]: File extensions
  - For entropy spikes:
    
    security anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> -start-time <MM/DD/YYYY HH:MM:SS> -end-time <MM/DD/YYYY HH:MM:SS> -false-positive true
- Potential ransomware attack
  
  Respond to the attack and recover data from the ARP-created backup snapshot. After the data is recovered, run one of the following commands to record your decision and resume normal ARP monitoring:
  - For file extensions:
    
    anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> [<extension identifiers>] -false-positive false
    
    Use the following optional parameter to identify only specific extensions as potential ransomware:
    
    [-extension <text>, … ]: File extension
  - For entropy spikes:
    
    security anti-ransomware volume attack clear-suspect -vserver <svm_name> -volume <vol_name> -start-time <MM/DD/YYYY HH:MM:SS> -end-time <MM/DD/YYYY HH:MM:SS> -false-positive false
This clear-suspect operation clears the attack report. There are no suspected file type notices to clear if you restored an entire volume. For ARP/AI in ONTAP 9.16.1 and later, ARP snapshots are automatically deleted after an abbreviated retention period triggered by the categorization operation. For ONTAP 9.15.1 and earlier, ARP snapshots are automatically deleted after you restore a volume or clear a suspected event.
If you are using MAV and an expected clear-suspect operation needs additional approvals, each MAV group approver must:
1. Show the request:
  security multi-admin-verify request show
2. Approve the request to resume normal anti-ransomware monitoring:
  security multi-admin-verify request approve -index[<number returned from show request>]
  The response for the last group approver indicates that the volume has been modified and a false positive is recorded.
If you are using MAV and you are a MAV group approver, you can also reject a clear-suspect request:
```
security multi-admin-verify request veto -index[<number returned from show request>]
```

Related information

Respond to abnormal activity detected by ONTAP ARP

Creating your file...