ARP creates excessive snapshots with Attack Probability "None"
Applies to
- ONTAP 9.14.1 and later
- All FAS, AFF, and ASA platforms with ARP enabled
Issue
- After enabling Anti-Ransomware Protection (ARP) on the cluster running ONTAP 9.17.1P6, excessive
Anti_ransomware_attack_backupsnapshots are created on multiple volumes even though the attack probability remains "none." - The snapshots are triggered by the reason "New file extension detected" and are created at frequent intervals (every 30 minutes in some cases), causing volume space consumption to grow approximately 3× within 2–3 days.
- Disabling and re-enabling ARP on the affected volumes to attempt a reset. After the disable/re-enable, volumes began behaving normally, but few volume continued generating attack snapshots at high frequency.
- No
callhome.arw.activity.seenalert or EMS notification was triggered because the attack probability never escalated to "Moderate" — the threshold required for call-home generation. - EMS log examples showing the behavior:
[cluster-n01: wafl_arp_block_device_worker_: arw.snapshot.created:notice]: ARP snapshot created on volume "db_vol01_roc" (UUID: "aade7a6f-xxxx-xxxx-xxxx-xxxxxxxxxxxx") in SVM "svm_db01" (UUID: "3beec5b2-xxxx-xxxx-xxxx-xxxxxxxxxxxx") at "2026-06-03_0138". Reason: "New file extension detected".[cluster-n01: wafl_arp_block_device_worker_: arw.snapshot.created:notice]: ARP snapshot created on volume "db_vol01_roc" (UUID: "aade7a6f-xxxx-xxxx-xxxx-xxxxxxxxxxxx") in SVM "svm_db01" (UUID: "3beec5b2-xxxx-xxxx-xxxx-xxxxxxxxxxxx") at "2026-06-03_0208". Reason: "New file extension detected".
[cluster-n01: wafl_arp_block_device_worker_: arw.snapshot.created:notice]: ARP snapshot created on volume "db_vol01_roc" (UUID: "aade7a6f-xxxx-xxxx-xxxx-xxxxxxxxxxxx") in SVM "svm_db01" (UUID: "3beec5b2-xxxx-xxxx-xxxx-xxxxxxxxxxxx") at "2026-06-03_0238". Reason: "New file extension detected".
- Key observations:
- Attack snapshots are created every ~30 minutes with reason "New file extension detected"
- Attack probability remains "none" — no escalation to moderate or high
- No
arw.activity.seencall-home is triggered - Periodic ARP snapshots (
Anti-ransomware periodic snapshot created) continue normally and are capped at 6 - Attack snapshots triggered by "New file extension detected" are uncapped and retained based on
arw.snap.new.extns.interval.hours(minimum 24 hours) - Workload characteristics (learned baseline/surge) show as empty after the disable/re-enable
- The
arw.snap.new.extns.interval.hoursparameter has a minimum enforced value of 24 (attempting to set it lower returns:value must be between 24 and 8760)
