Autonomous Ransomware Protection (ARP): file extensions not recognized as false positives
Applies to
- ONTAP 9.11 and above
- Autonomous Ransomware Protection (ARP)
Issue
- ARP enabled on volume
- ARP suspected ransomware files continue appearing even though they were marked as false positive in System Manager and/or using the command:
- CLI:
security anti-ransomware volume attack clear-suspect -vserver <svm> -volume <volume> -false-positive true
- GUI:
Abnormal volume activity detected on <date>
suspected ransomware files
- This seems to be related to new\unknown extensions since each file extension reported is different.
- in
security anti-ransomware volume attack-detection-parameters show
, thenever-seen-before
is set totrue