CONTAP-245206: Newly Observed File Extensions are seen in workload-behavior even after marking false-positive as true for extensions
Issue
- After ARW attack, clear-suspect is performed by marking the affected extensions as false positives:
::> security anti-ransomware volume attack clear-suspect -vserver SVM1 -volume vol1 -false-positive true -extensions testlog, pdf, tmp- However, even after that, the extensions are reported in the "Newly Observed File Extensions" section of the workload behaviour output:
::> security anti-ransomware volume workload-behavior show -vserver SVM1 -volume vol1 Vserver: SVM1 Volume: vol1 File Extensions Observed: CSV, xlsx, tmp, dll, pdf, pptx, JPG, cache, cs, VR, xd$, TP, vr, LS, xdw, tx, DLL, xlsm, editorconfig, in, ev, tp, zip, #dw, jpg, dwg, VD, sv, JBI Number of File Extensions Observed: 465Historical Statistics High Entropy Data Write Percentage: 98 High Entropy Data Write Peak Rate (KB/Minute): 27192 File Create Peak Rate (per Minute): 1567 File Delete Peak Rate (per Minute): 1793 File Rename Peak Rate (per Minute): 18Surge Observed Surge Timeline: - High Entropy Data Write Percentage: - High Entropy Data Write Peak Rate (KB/Minute): - File Create Peak Rate (per Minute): - File Delete Peak Rate (per Minute): - File Rename Peak Rate (per Minute): - Newly Observed File Extensions: {color:#172b4d}testlog, pdf, tmp{color} Number of Newly Observed File Extensions: 1, 5, 7