Anti-Ransomware: observed file extensions using wildcard or regex

beckerr · ‎2023-09-09

We are using anti-ransomware on some volumes with ONTAP 9.13.1.

On volumes that we export via NFSv3, we get daily warnings regarding NFS lock files.

Example

security anti-ransomware volume workload-behavior show -vserver vfiler2 -volume vfiler2_Docker1 -instance
...Newly Observed File Extensions: 
nfs000000000050d3ab0000000e,
nfs000000000050d98000000011,
nfs000000000050d99900000019,
nfs000000000050d98100000012,
nfs000000000050d98300000014,
nfs000000000050d98400000015,
nfs000000000050d98500000016,
nfs000000000050d99800000018,
nfs000000000050d9ec0000001a, 
nfs000000000050d96900000010,
nfs000000000050d98200000013,
nfs000000000050d3b00000000f,
nfs000000000050d99700000017
Number of Newly Observed File Extensions: 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1

Question

Is there a way to manually add file extensions that use wildcards or regular expressions?

If not, how can the problem described above be solved?

Ontapforrum · ‎2023-09-13

This could just be a NFS silly rename behavior, and it is orchestrated by the NFS client. As per the information below - NFSv4.x protocol has features to address this issue.

https://serverfault.com/questions/201294/nfsxxxx-files-appearing-what-are-those

unix - .nfsXXXX files appearing, what are those? - Server Fault

NetApp solution for silly rename issue for NFS to Kafka workloads

https://docs.netapp.com/us-en/netapp-solutions/data-analytics/kafka-nfs-netapp-solution-for-silly-rename-issue-in-nfs-to-kafka-workload.html#

beckerr · ‎2023-09-21

Implementing a workaround for NFS only is not enough here. The problem I described applies to all files whose file extension is dynamic. FPolicy seems to support regular expressions and wildcards, but ARP apparently does not?

Here are some examples from today for dynamic file extensions:

                        File Extensions Observed: 3068119, 3299662, 3428926,
                                                  3554678, 3689513, 3737025,
                                                  3780616, 3910014, 4038192,
                                                  4167277, 21315, 147956,
                                                  194370, 238317, 369390,
                                                  499932, 620709, 755092,
                                                  876796, 923228, 967022,
                                                  1094661, 1217362, 1339958,
                                                  1463609, 1582691, 1627857,
                                                  1669234, 1796609, 1917557,
                                                  2037749, 2158156, 2276786,
                                                  2320074, 2362872, 2492949,
                                                  2621799, 2744453
                                                  
                        File Extensions Observed: cache29860, cache19224,
                                                  cache24043, cache11494,
                                                  cache32653, cache8576,
                                                  cache17769, cache25737,
                                                  cache21256, cache12381,
                                                  cache26046, cache16453,
                                                  cache522, cache1183,
                                                  cache3457, cache29870,
                                                  cache9903, cache15043,
                                                  cache18970, cache5448,
                                                  cache9483, cache26827,
                                                  cache28706, cache5596,
                                                  cache6441, cache23167,
                                                  cache14400, cache31863,
                                                  cache17470, cache17786,
                                                  cache19343, cache5026,
                                                  cache19028, cache8617,
                                                  cache22316, cache23924,
                                                  cache22711
                                                  
                        File Extensions Observed: 003606, 003607, 003608,
                                                  003609, 003610, 003611,
                                                  003612, 003613, 003614,
                                                  003615, 003616, 003617,
                                                  003618, 003619, 003620,
                                                  003621, 003622, 003623,
                                                  003624, 003625, 003626,
                                                  003627, 003628, 003629,
                                                  003630, 003631, 003632,
                                                  003633, 003634, 003635,
                                                  003636, 003637, 003638,
                                                  003639, 003640, 003641,
                                                  003642, 003643, 003644,
                                                  003645, 003646, 003647,
                                                  003648, 003649, 003650,
                                                  003651

                  Newly Observed File Extensions: 003642, 003643, 003644,
                                                  003645, 003646, 003647,
                                                  003648, 003649, 003650,
                                                  003651, 003652, 003653,
                                                  003654, 003655, 003656,
                                                  003657, 003658, 003659,
                                                  003660, 003661, 003662,
                                                  003663