What factors can cause ARP false positive alerts?

Applies to

• ONTAP 9.10.1 and later
• Autonomous Ransomware Protection (ARP)

Answer

• The key factors leading to ARP false positives in ONTAP are:
  • File Extensions:
    • ARP flags unfamiliar file extensions as suspicious. 
    • Environments with automated processes that generate unique extensions may see more false positives.
  • High-entropy data
    • High-entropy data indicates high randomness. 
    • Encrypted or compressed data typically yields higher entropy scores, especially during backup or archive operations.
    • Reference KB: Software backups are causing anti-ransomware snapshots in ONTAP
  • Workload Type:
    • High-frequency file operations (create, delete, rename) can trigger alerts.
    • Workloads like VMware backups, which involve heavy file I/O, are especially prone to this. 
  • Learning Mode Duration:
    • ARP requires an adequate learning period (7–30 days) to distinguish normal from abnormal activity.
    • Insufficient learning increases false positives.
• The following measures can help prevent ARP false positives in ONTAP:
  • Detection Parameters:
    • Tuning ARP parameters—such as thresholds for new file extensions, high entropy data, and file operation surges—can reduce false positives.
  • User Feedback:
    • Marking an alert as a false positive prevents ARP from flagging similar future events.
  • Surge Detection:
    • ARP detects spikes in file operations based on historical baselines.
    • Adjusting surge detection settings can help minimize false positives from normal workload fluctuations.

Additional Information

Understanding Autonomous Ransomware Protection snapshot protection and attack detection