Skip to main content
NetApp Knowledge Base

How about the occurrence of ARP false positives alert?

  1. Last updated
  2. Save as PDF
Views:
50
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

Applies to

  • ONTAP 9.10.1 and later
  • Anti-ransomware Protection (ARP)

Answer

  • The detection of false positives by ARP in ONTAP can vary based on several factors. Understanding these factors can help in managing and reducing the occurrence of false positives.
  • Factors Influencing false positives ARP alert:
    • File Extensions:
      ARP relies on detecting unusual file extensions to identify potential ransomware attacks. If a volume contains unique or new file extensions that have not been seen before, ARP may flag these as suspicious, leading to false positives. 
      This is particularly common in environments with automated processes that generate unique file extensions.
    • Unsuitable Workload:
      High-frequency file operations, such as creating, deleting, or renaming a large number of files in a short period, can trigger ARP alerts. This is because ARP interprets these surges in file operations as potential ransomware activity. 
      Workloads that inherently involve high file I/O operations, such as VMware backups, can lead to frequent false positives.
    • Learning Mode Duration:
      ARP operates in a "Learning Mode" initially to understand the normal behavior of the volume. If the learning period is insufficient, ARP may not accurately distinguish between normal and suspicious activities, leading to false positives. The recommended learning period is between 7 to 30 days.
    • Detection Parameters:
      The configuration of ARP detection parameters significantly impacts the frequency of false positives. 
      Parameters such as the Detection only based on Never Seen before File Extension, threshold for new file extensions, high entropy data rates, and file operation surges can be adjusted to better suit the specific workload and reduce false positives.
    • User operation when detect attack:
      Once an attack is marked as a false positive, ARP will no longer flag future occurrences of that attack as suspicious. This helps in reducing repeated false positives detection.
    • Surge Detection:
      ARP uses surge detection to identify unusual spikes in file operations. The baseline for surge detection is calculated based on historical workload information. Adjusting the surge detection parameters can help in minimizing false positives triggered by normal workload variations.

Additional Information

See Learn about Autonomous Ransomware Protection in ONTAP for more details.

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.