When are Anti_ransomware_attack_backup snapshots deleted after clearing a false-positive ransomware alert in ONTAP
Applies to
- ONTAP 9.17.1
- Autonomous Ransomware Protection (ARP)
Answer
- Snapshots created during ransomware detection are not deleted immediately after clearing a false-positive alert using:
anti-ransomware volume attack clear-suspect -false-positive true
- Snapshot deletion is controlled by two independent retention mechanisms.
- Post-clear retention (event-based)
- Starts when clear-suspect is executed
- Controlled by:
arw.snap.retain.hours.after.clear.suspect.false.alertarw.snap.retain.hours.after.clear.suspect.real.attack
- Attack_backup_snapshot rotation policy (time-based)
- Based on snapshot lifecycle limits
- Controlled by:
arw.snap.high.encryption.retain.duration.hours
- Post-clear retention (event-based)
- The snapshot is deleted only after both retention conditions are satisfied
- The longer retention period determines the final deletion time.
Note: This behavior ensures snapshots remain available for analysis or recovery even after clearing the alert.
Example:
- Configurations:
arw.snap.high.encryption.retain.duration.hours = 240 (10 days)
arw.snap.retain.hours.after.clear.suspect.false.alert = 24 (1 day)
arw.snap.retain.hours.after.clear.suspect.real.attack = 168 (7 days)
- Case 1:
- If a snapshot is marked as a false positive on the 3rd day,it will be retained for 4 days (3 days + 1 day).
- However, since the standard retention period is 10 days, the snapshot will still be deleted after 10 days.
- Case 2:
- If it is marked as a false positive on the 11th day, it will be retained for 12 days (11 days + 1 day), which exceeds the standard 10-day retention period.
- As a result, the snapshot will be deleted after 12 days.
Additional Information
additionalInformation_text