CONTAP-438357: Newly observed file extensions seen on volume with no ARW attack
Issue
- Some file extersions are reported under "Newly Observed File Extensions" in the workload-behavior output:
::> security anti-ransomware volume workload-behavior show -vserver SVM1 -volume vol_01
Vserver: SVM1
Volume: vol_01
File Extensions Observed: pdf, rtf, txt, tmp, jpg,
wfs, xlsx, JPG, lms, wav,
pptx, xls, xml
Number of File Extensions Observed: 23
Historical Statistics
High Entropy Data Write Percentage: 98
High Entropy Data Write Peak Rate (KB/Minute): 340936
File Create Peak Rate (per Minute): 128
File Delete Peak Rate (per Minute): 294
File Rename Peak Rate (per Minute): 10
Surge Observed
Surge Timeline: -
High Entropy Data Write Percentage: -
High Entropy Data Write Peak Rate (KB/Minute): -
File Create Peak Rate (per Minute): -
File Delete Peak Rate (per Minute): -
File Rename Peak Rate (per Minute): -
Newly Observed File Extensions: abc, xyz, pqr
Number of Newly Observed File Extensions: 310, 72, 238
- However, there is no attack reported for that volume:
USNAZCNO::> security anti-ransomware volume show -vserver SVM1 -volume vol_01
Vserver Name: SVM1
Volume Name: vol_01
State: enabled
Dry Run Start Time: -
Attack Probability: none
Attack Timeline: -
Number of Attacks: -
- These extensions are not cleared even after marking them as false positives:
::> security anti-ransomware volume attack clear-suspect -vserver SVM1 -volume vol_01 -false-positive true -extensions abc, xyz, pqr