netapp-dbagwell
commented
6 days ago @MikeSchoenfelder-MIPS thanks. I'll address your use issues with the team. I will also pass on your feature requests.
Open MikeSchoenfelder-MIPS opened 1 week ago
netapp-dbagwell
commented
6 days ago @MikeSchoenfelder-MIPS thanks. I'll address your use issues with the team. I will also pass on your feature requests.
Page URL
https://docs.netapp.com/us-en/ontap/anti-ransomware/respond-abnormal-task.html
Page title
Respond to abnormal activity
Summary
Problem: I have many ARP snapshots that are false positives. What I want: I want to know how to get rid of them. I get an error when I try to delete the snapshots.
I have been combing through the NetApp documentation on how to "clear the attack". This page is the closest one I have found, yet it doesn't give me the answer.
Sometimes I see "View suspected file type" under "Abnormal volume activity detected ", but this visualization either takes a few seconds to show up (no "waiting" indication) or never appears.
But what about when the ARP is fired due to entropy or file deletions or any of the other situations that can cause an ARP snapshot? How do I clear those? I see where I can tune those settings to avoid future issues, but how can I clear that event so that the OS will either automatically delete the ARP snapshot or allow me to?
The only workaround I have seen is to turn off ARP and then delete the snapshots. Is this the expected procedure?
I am using ONTAP 9.14.1P9, but I see no indication that later releases have what I am looking for.
I know this isn't the forum for feature requests, but I will offer them anyway: 1) One click for ARP response: "No, this isn't ransomware attack" and then the system automatically updates all its settings and deletes the ARP snapshots 2) An "alert only" mode where we get an alert, but no ARP snapshots are made. We already have snapshots where we want them and don't have snapshots on scratch data. However, my volumes are continually getting filled with ARP snapshots that I can't delete and this is causing disruptions for my users. I want the AI to alert me, but I want the option to just take the volume offline or delete the data since it is data that only has ephemeral value and where deletion, not restoration is the preferred response to ransomware attack. In other words, yes I want to know if my company is being attacked on any volume, but I want a per-volume choice on what actions the ARP takes wrt snapshots.
Public issues must not contain sensitive information