Re: How to determine if files are ransomware

FelixZhou

We are on ONTAP version 9.14.1P8, after we enabled the anti-ransomware on CIFS volumes, we started receiving suspected long file list every day, we know they should be non-ransomware related. My questions is how we can safely determine they can be skipped. Are there any generic rules or utilities we can use for this purpose?

Otherwise nobody wants to set the files as false positive.

Please share your experience if any.

thanks in advance !

wareer

Are you sure this file isn't ransomware?If it's ransomware，No, once marked as false-positive, the newly found file extension will be considered a valid extension, and future attacks will not be reported on this file extension.

If you want to add no alerts, refer to the links belowhttps://docs.netapp.com/zh-cn/cloudinsights/ws_allowed_file_types.html

FelixZhou

believe most of files are not Ransomware. we are still in learning phase. But the most difficulty thing is we will need a guide line or rules to judge if we can make them as false-positive. we have been reported thousands of these type of alerts, otherwise the real ransomware will be buried in alerts....

will open a NetApp support case to find out if they can help on this.