Unusual File Activity Report for File Extension Anomalies

The File extension file activity report displays information related to the possible presence of ransomware. Commvault monitors Windows file system backup jobs to detect if files have been encrypted. Ransomware can sometimes change the extensions of those files after encryption (for example, .ecc, .ezz, .zzz, .xyz, .abc, .ccc, .micro, .encrypted, etc.).

As part of Windows file system backups, Commvault scans for information on these file types (under the subclient content in the default backupset) to establish a baseline. Once the baseline has been established, subsequent incremental jobs continue to scan for information on these file types and identify potential file renames. Commvault then runs machine learning algorithms on the observed datapoints to identify if there has been abnormal activity resulting in a large number of file renames.

Report Description

The Unusual file activity report for file-related anomalies is divided into the following sections: File extension trend chart and Suspicious files data.

File Extension Trend

This chart displays information about the number of files that were backed up per backup job in the Commvault environment.

The following image is an example of the file extension trend chart:

Click a node on the chart to open the event details for the backup job. The following image is an example of the event details for a job:

Suspicious Files Table

The following table includes descriptions for all columns in the Suspicious files table.

Column

Description

File name

The name of the suspicious file.

Path

The file path of the suspicious file.

Size

The size of the susicious file.

Modified time

The time when the suspicious file was modified.

Performing File System Restores

Loading...