CONTAP-245206: Newly Observed File Extensions are seen in workload-behavior even after marking false-positive as true for extensions
Issue
- After ARW attack, clear-suspect is performed by marking the affected extensions as false positives:
::> security anti-ransomware volume attack clear-suspect -vserver SVM1 -volume vol1 -false-positive true -extensions testlog, pdf, tmp
- However, even after that, the extensions are reported in the "Newly Observed File Extensions" section of the workload behaviour output:
::> security anti-ransomware volume workload-behavior show -vserver SVM1 -volume vol1
Vserver: SVM1
Volume: vol1
File Extensions Observed: CSV, xlsx, tmp, dll, pdf,
pptx, JPG, cache, cs,
VR, xd$, TP, vr, LS, xdw, tx,
DLL, xlsm, editorconfig, in,
ev, tp, zip, #dw, jpg, dwg,
VD, sv, JBI
Number of File Extensions Observed: 465
Historical Statistics
High Entropy Data Write Percentage: 98
High Entropy Data Write Peak Rate (KB/Minute): 27192
File Create Peak Rate (per Minute): 1567
File Delete Peak Rate (per Minute): 1793
File Rename Peak Rate (per Minute): 18
Surge Observed
Surge Timeline: -
High Entropy Data Write Percentage: -
High Entropy Data Write Peak Rate (KB/Minute): -
File Create Peak Rate (per Minute): -
File Delete Peak Rate (per Minute): -
File Rename Peak Rate (per Minute): -
Newly Observed File Extensions: {color:#172b4d}testlog, pdf, tmp{color
} Number of Newly Observed File Extensions: 1, 5, 7