Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Anti-Ransomware: observed file extensions using wildcard or regex
2023-09-09
03:51 AM
2,089 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using anti-ransomware on some volumes with ONTAP 9.13.1.
On volumes that we export via NFSv3, we get daily warnings regarding NFS lock files.
Example
security anti-ransomware volume workload-behavior show -vserver vfiler2 -volume vfiler2_Docker1 -instance
...Newly Observed File Extensions:
nfs000000000050d3ab0000000e,
nfs000000000050d98000000011,
nfs000000000050d99900000019,
nfs000000000050d98100000012,
nfs000000000050d98300000014,
nfs000000000050d98400000015,
nfs000000000050d98500000016,
nfs000000000050d99800000018,
nfs000000000050d9ec0000001a,
nfs000000000050d96900000010,
nfs000000000050d98200000013,
nfs000000000050d3b00000000f,
nfs000000000050d99700000017
Number of Newly Observed File Extensions: 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1
Question
Is there a way to manually add file extensions that use wildcards or regular expressions?
If not, how can the problem described above be solved?
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This could just be a NFS silly rename behavior, and it is orchestrated by the NFS client. As per the information below - NFSv4.x protocol has features to address this issue.
https://serverfault.com/questions/201294/nfsxxxx-files-appearing-what-are-those
unix - .nfsXXXX files appearing, what are those? - Server Fault
NetApp solution for silly rename issue for NFS to Kafka workloads
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Implementing a workaround for NFS only is not enough here. The problem I described applies to all files whose file extension is dynamic. FPolicy seems to support regular expressions and wildcards, but ARP apparently does not?
Here are some examples from today for dynamic file extensions:
File Extensions Observed: 3068119, 3299662, 3428926,
3554678, 3689513, 3737025,
3780616, 3910014, 4038192,
4167277, 21315, 147956,
194370, 238317, 369390,
499932, 620709, 755092,
876796, 923228, 967022,
1094661, 1217362, 1339958,
1463609, 1582691, 1627857,
1669234, 1796609, 1917557,
2037749, 2158156, 2276786,
2320074, 2362872, 2492949,
2621799, 2744453
File Extensions Observed: cache29860, cache19224,
cache24043, cache11494,
cache32653, cache8576,
cache17769, cache25737,
cache21256, cache12381,
cache26046, cache16453,
cache522, cache1183,
cache3457, cache29870,
cache9903, cache15043,
cache18970, cache5448,
cache9483, cache26827,
cache28706, cache5596,
cache6441, cache23167,
cache14400, cache31863,
cache17470, cache17786,
cache19343, cache5026,
cache19028, cache8617,
cache22316, cache23924,
cache22711
File Extensions Observed: 003606, 003607, 003608,
003609, 003610, 003611,
003612, 003613, 003614,
003615, 003616, 003617,
003618, 003619, 003620,
003621, 003622, 003623,
003624, 003625, 003626,
003627, 003628, 003629,
003630, 003631, 003632,
003633, 003634, 003635,
003636, 003637, 003638,
003639, 003640, 003641,
003642, 003643, 003644,
003645, 003646, 003647,
003648, 003649, 003650,
003651
Newly Observed File Extensions: 003642, 003643, 003644,
003645, 003646, 003647,
003648, 003649, 003650,
003651, 003652, 003653,
003654, 003655, 003656,
003657, 003658, 003659,
003660, 003661, 003662,
003663
