Security anti-ransomware volume attack generate-report output
Applies to
- ONTAP version 9.10.1 or later
- Anti-ransomware or Autonomous Ransomware Protection (ARP) or Anti_Ransomware or ARW
Answer
- When generating a report for security anti-ransomware volume attack generate-report it will display a list of files that are suspected to be potential ransomware
Cluster_CLI::> security anti-ransomware volume attack generate-report -vserver <affected vserver> -volume <affected volume> -dest-path <data SVM>:<shared volume hosted by the data SVM>/
Report "report_file_vs1_vol1_30-03-2021_16-11-38" available at path "vs1:vol1/".
- The file will be of a format as shown, with no actual column header names:
(File sequence) (Time and date of report) (Extension) (File Name) (Report Indicator)
1 "7/30/2024 15:33:36" 5856 /file.5856 1
2 "7/30/2024 15:33:36" 5857 /file.5857 2
3 "7/30/2024 15:33:36" 5858 /file.5858 1
4 "7/30/2024 15:33:36" 5862 /file.5862 1
5 "7/30/2024 15:33:36" 5864 /file.5864 2
- The Report Indicator resolves to:
- 1 - that indicates: 'File extension type: An extension that does not conform to the normal extension type'.
- 2 - that indicates: 'Entropy: an evaluation of the randomness of data in a file'.
- Any files in the report would then need to be examined for integrity from the corresponding host.
- To display the report with the CLI:
Cluster_CLI::> run -node [nodename] rdfile /vol/vol1/report_file_vs1_vol1_30-03-2021_16-11-38
Output Example:
1 8/26/2025 03:03:24 csq_min=250 csq_avg=219 unsafe_extn=0 file_hdr=0 safe_extn=0 score=0.9999976787980708 lckd /file.tar.gz.lckd
Note:
lckdis the file extension used for files namedfile.tar.gz.lckd.unsafe_extn=0 / safe_extn=0indicate that the file does not match any extensions classified as unsafe or safe according to the system's extension classification list.- Other parameters such as
csq_min,csq_avg,file_hdr, andscoreare system-generated metrics used internally for file scanning and classification, whose definitions are currently not publicly available.