Skip to main content

Learn about the ONTAP ARP/AI evaluation period for block-device workloads

Contributors netapp-dbagwell netapp-lenida
PDFs

Beginning with ONTAP 9.17.1, ARP/AI requires an evaluation period to determine if entropy levels for block-device workloads are suitable for ransomware protection. These workloads include SAN LUNs and hypervisor virtual disks (for example, VMware virtual disks in NFS datastores and, beginning with ONTAP 9.17.1P5, Hyper-V, KVM, and OpenStack virtual disks) stored in ONTAP volumes. After ARP is enabled on an eligible volume, ARP/AI actively monitors and protects the volume during the evaluation period while simultaneously determining an optimal encryption threshold. Detection and alerts can occur during the evaluation period using a conservative threshold while baseline thresholds are being established over the course of several days. ARP distinguishes between suitable and unsuitable workloads in the evaluated volume and, if the workloads are determined to be suitable for protection, automatically sets an encryption threshold based on evaluation period statistics.

Supported workloads and evaluation applicability

The block-device evaluation period applies in the following scenarios:

  • SAN volumes

    • LUN-based workloads presented as block devices to hosts or hypervisors.

  • NAS volumes that contain hypervisor virtual disks automatically detected by ONTAP

    • Supported hypervisors include VMware, Hyper-V, KVM, and OpenStack virtual disks stored in NFS or SMB datastores.

Within these volumes:

  • The evaluation period is applicable to attacks detected based on entropy changes inside the guest filesystem of the virtual disk (for example, ransomware operating on files within the guest OS mapped to a LUN or virtual disk).

  • The evaluation period is not applicable to attacks detected based on entropy and file-extension changes made directly to the virtual disk files from the hypervisor host (for example, ransomware operating directly on .vmdk files from an ESXi NFS datastore mount point). These direct-to-disk attacks use a different detection path that does not rely on the block-device evaluation period.

Version support for block-device and hypervisor detection

  • ONTAP 9.17.1

    • Introduces the block-device evaluation period for SAN volumes.

    • Enables ARP/AI attack detection inside SAN LUNs and inside VMware virtual disks stored in ONTAP NFS datastores.

  • ONTAP 9.17.1P5 and later

    • Expands ARP/AI block-device detection to hypervisor virtual disks such as Hyper-V, KVM, and OpenStack.

    • Applies the same block-device evaluation logic and thresholds to these additional hypervisor workloads when they are detected by ONTAP.

Understand entropy evaluation

During the evaluation period, the system collects continuous encryption statistics in 10-minute intervals from supported block-device and hypervisor workloads. ARP periodic snapshots are also continuously created every four hours. If the encryption percentage within an interval exceeds the optimal encryption threshold identified for this volume, an alert is triggered, an Anti_ransomware_attack_backup snapshot is created, and snapshot retention time is increased on any periodic ARP snapshots.

Confirm that the evaluation period is active

You can confirm that the evaluation is active by running the following command and confirming a status of evaluation_period. If a volume is not eligible for evaluation, the evaluation status will not be displayed.

security anti-ransomware volume show -vserver <svm_name> -volume <volume_name>

Example response:

Vserver Name                                : vs1
Volume Name                                 : v1
State                                       : enabled
Attack Probability                          : none
Attack Timeline                             : -
Number of Attacks                           : -
Attack Detected By                          : -
Block device detection status               : evaluation_period
Monitor evaluation period data collection

You can monitor encryption detection in real time by running the following command. The command returns a histogram showing the amount of data in each encryption percentage range. The histogram is updated every 10 minutes.

security anti-ransomware volume entropy-stat show-encryption-percentage-histogram -vserver <svm_name> -name <lun_name> -duration real_time

Example response:

Vserver     Name              Entropy Range   Seen N Time     Data Written
----------  ----------------  --------------- --------------  -------------
vs0         lun1              0-5%            4               100MB
vs0         lun1              6-10%           10              900MB
vs0         lun1              11-15%          20              40MB
vs0         lun1              16-20%          10              70MB
vs0         lun1              21-25%          60              450MB
vs0         lun1              26-30%          4               100MB
vs0         lun1              31-35%          10              900MB
vs0         lun1              36-40%          20              40MB
vs0         lun1              41-45%          0               0
vs0         lun1              46-50%          0               0
vs0         lun1              51-55%          0               0
vs0         lun1              56-60%          0               0
vs0         lun1              61-65%          0               0
vs0         lun1              66-70%          0               0
vs0         lun1              71-75%          0               0
vs0         lun1              76-80%          0               0
vs0         lun1              81-85%          0               0
vs0         lun1              86-90%          0               0
vs0         lun1              91-95%          0               0
vs0         lun1              96-100%         0               0

20 entries were displayed.

Suitable workloads and adaptive thresholds

The evaluation ends with one of the following results for both SAN LUN workloads and hypervisor virtual disks evaluated through block-device detection:

  • The workload is suitable for ARP. ARP automatically sets the adaptive threshold to higher than 10% of the maximum encryption percentage seen during the evaluation period. ARP also continues statistics collection and creates periodic ARP snapshots.

  • The workload is unsuitable for ARP. ARP automatically sets the adaptive threshold to the maximum encryption percentage seen during the evaluation period. ARP also continues statistics collection and creates periodic ARP snapshots, but the system ultimately recommends disabling ARP on the volume.

Determine evaluation results

After the evaluation period ends, ARP automatically sets the adaptive threshold based on the evaluation results.

You can determine the evaluation results by running the following command. Volume suitability is indicated in the Block device detection status field:

security anti-ransomware volume show  -vserver <svm_name> -volume <volume_name>

Example response:

Vserver Name                               : vs1
Volume Name                                : v1
State                                      : enabled
Attack Probability                         : none
Attack Timeline                            : -
Number of Attacks                          : -
Attack Detected By                         : -
Block device detection status              : Active_suitable_workload

Block device evaluation start time :  5/16/2025 01:49:01

You can also show the value threshold adopted as a result of the evaluation:

security anti-ransomware volume attack-detection-parameters show -vserver <svm_name> -volume <volume_name>

Example response:

                                  Vserver Name : vs_1

                                   Volume Name : vm_2

Block Device Auto Learned Encryption Threshold : 10
...