Anti-ransomware use cases and restrictions


In the current release, ransomware protection is most suitable in NAS environments. Support for other environments will be available in future releases.

Suitable workloads:

  • Databases on NFS storage

  • Windows or Linux home directories

    Because users could create files with extensions that weren’t detected in the learning period, there is greater possibility of false positives in this workload.

  • Images and video

    For example, health care records and Electronic Design Automation (EDA) data.

Unsuitable workloads:

  • Workloads with a high frequency of file create or delete (hundreds of thousands of files in few seconds; for example, test/dev workloads)

  • The anti-ransomware feature depends on the ability to recognize an unusual surge in file create or delete activity. If the application itself is the source of the file activity, it cannot be effectively distinguished from ransomware activity

  • Workloads where the application or the host encrypts data
    The anti-ransomware feature depends on distinguishing incoming data as encrypted or unencrypted. If the application itself is encrypting the data, then the effectiveness of the feature is reduced. However, the feature can still work based on file activity (create, delete, and overwrite) and file type.

Unsupported system configurations:

  • SAN environments

  • ONTAP S3 environments

  • VMDKs on NFS

  • Cloud Volumes ONTAP

  • Cloud Volume Services for AWS and Google Cloud

  • Azure NetApp Files

  • Amazon FSx for ONTAP

Volume requirements:

  • Less than 100% full

  • Junction path must be active

Unsupported volume types:

  • offline volumes

  • restricted volumes

  • Snaplock volumes

  • SnapLock volumes

  • FlexGroup volumes

  • FlexCache volumes

  • SAN-only volumes

  • volumes of stopped storage VMs

  • root volumes of storage VMs

  • data protection volumes

Anti-ransomware performance and frequency considerations

The anti-ransomware feature can have a minimal impact on system performance as measured in throughput and peak IOPS. The impact of the anti-ransomware feature is highly dependent on volume workloads. For most typical or common workloads, the following configuration limits are recommended:

  • No more than 50 volumes per node if the workload is either read-intensive or the data can be compressed.

  • No more than 20 volumes per node if the workload is write-intensive and the data cannot be compressed.

Because anti-ransomware analytics are run in a prioritized sequence, as the number of protected volumes increases, analytics are run on each volume less frequently.