Skip to main content
NetApp Knowledge Base

ARP creates excessive snapshots with Attack Probability "None"

Views:
8
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
CORE
Last Updated:

Applies to

  • ONTAP 9.14.1 and later
  • All FAS, AFF, and ASA platforms with ARP enabled

Issue

  • After enabling Anti-Ransomware Protection (ARP) on the cluster running ONTAP 9.17.1P6, excessive Anti_ransomware_attack_backup snapshots are created on multiple volumes even though the attack probability remains "none."
  • The snapshots are triggered by the reason "New file extension detected" and are created at frequent intervals (every 30 minutes in some cases), causing volume space consumption to grow approximately 3× within 2–3 days.
  • Disabling and re-enabling ARP on the affected volumes to attempt a reset. After the disable/re-enable, volumes began behaving normally, but few volume continued generating attack snapshots at high frequency.
  • No callhome.arw.activity.seen alert or EMS notification was triggered because the attack probability never escalated to "Moderate" — the threshold required for call-home generation.
  • EMS log examples showing the behavior:

[cluster-n01: wafl_arp_block_device_worker_: arw.snapshot.created:notice]: ARP snapshot created on volume "db_vol01_roc" (UUID: "aade7a6f-xxxx-xxxx-xxxx-xxxxxxxxxxxx") in SVM "svm_db01" (UUID: "3beec5b2-xxxx-xxxx-xxxx-xxxxxxxxxxxx") at "2026-06-03_0138". Reason: "New file extension detected".[cluster-n01: wafl_arp_block_device_worker_: arw.snapshot.created:notice]: ARP snapshot created on volume "db_vol01_roc" (UUID: "aade7a6f-xxxx-xxxx-xxxx-xxxxxxxxxxxx") in SVM "svm_db01" (UUID: "3beec5b2-xxxx-xxxx-xxxx-xxxxxxxxxxxx") at "2026-06-03_0208". Reason: "New file extension detected".
[cluster-n01: wafl_arp_block_device_worker_: arw.snapshot.created:notice]: ARP snapshot created on volume "db_vol01_roc" (UUID: "aade7a6f-xxxx-xxxx-xxxx-xxxxxxxxxxxx") in SVM "svm_db01" (UUID: "3beec5b2-xxxx-xxxx-xxxx-xxxxxxxxxxxx") at "2026-06-03_0238". Reason: "New file extension detected".

  • Key observations:
    • Attack snapshots are created every ~30 minutes with reason "New file extension detected"
    • Attack probability remains "none" — no escalation to moderate or high
    • No arw.activity.seen call-home is triggered
    • Periodic ARP snapshots (Anti-ransomware periodic snapshot created) continue normally and are capped at 6
    • Attack snapshots triggered by "New file extension detected" are uncapped and retained based on arw.snap.new.extns.interval.hours (minimum 24 hours)
    • Workload characteristics (learned baseline/surge) show as empty after the disable/re-enable
    • The arw.snap.new.extns.interval.hours parameter has a minimum enforced value of 24 (attempting to set it lower returns: value must be between 24 and 8760)

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.