Security anti-ransomware volume attack generate-report output
Applies to
- ONTAP version 9.10.1 or later
- Anti-ransomware or Autonomous Ransomware Protection (ARP) or Anti_Ransomware or ARW
Answer
- When generating a report for security anti-ransomware volume attack generate-report it will display a list of files that are suspected to be potential ransomware
Cluster_CLI::> security anti-ransomware volume attack generate-report -vserver <affected vserver> -volume <affected volume> -dest-path <data SVM>:<shared volume hosted by the data SVM>/
Report "report_file_vs1_vol1_30-03-2021_16-11-38" available at path "vs1:vol1/".
- The file will be of a format as shown, with no actual column header names:
(File sequence) (Time and date of report) (File Name) (Report Indicator)
1 "7/30/2024 15:33:36" /file.5856 1
2 "7/30/2024 15:33:36" /file.5857 2
3 "7/30/2024 15:33:36" /file.5858 1
4 "7/30/2024 15:33:36" /file.5862 1
5 "7/30/2024 15:33:36" /file.5864 2
- The Report Indicator resolves to:
- 1 - that indicates: 'File extension type: An extension that does not conform to the normal extension type'.
- 2 - that indicates: 'Entropy: an evaluation of the randomness of data in a file'.
- Any files in the report would then need to be examined for integrity from the corresponding host.
- To display the report with the CLI:
Cluster_CLI::> run -node [nodename] rdfile /vol/vol1/report_file_vs1_vol1_30-03-2021_16-11-38
