I activated the File Activity Anomaly Report a couple of months ago and strangely I receive reports from 17 Microsoft FileServers every Saturday morning from one particular domain (which accounts for about of half of the servers (all running the same software) - these are a mixture of 2008, 2012 & 2016 Windows OS). I've subsequently used CVIOMonitor.log in an attempt to troubleshoot however when viewing the properties of identified files they are displaying that each file was last amended in 2014. All of the servers are running Kaspersky AV and I can locate a limited number of 4670 – permissions on an object were changed’ entries in some of the server event logs (but not all).

I really don't want to have to disable this feature on these servers as the Alerts is obviously attempting to tell me something but I'm unable to validate the accuracy of the reports.

Hi Gateshead,

Is it possible to escalate this case so that we can check what is the issue here? We monitor the activity on the machine and alert when we see an abnormal activity on the machine. We would like to see why there is any abnormal activity happening. It will be easy if you can escalate the case and we can debug the issue

Thanks,

Karthik

Hi Gateshead,

Is it possible to escalate this case so that we can check what is the issue here? We monitor the activity on the machine and alert when we see an abnormal activity on the machine. We would like to see why there is any abnormal activity happening. It will be easy if you can escalate the case and we can debug the issue

Thanks,

Karthik

Alas some two weeks after raising Incident 200406-145 not much progress had been made. So this afternoon, in order to make some progress, I arranged for Kaspersky FULL scans to be manually ran on all problematic windows file-servers and the File Anomaly Alerts duly triggered. So, I now know that Kaspersky is triggering false positive Alerts. The question is how do I reconfigure CommVault and/or Kapersky to work together in perfect harmony? I don't want to deactivate the honeypot as this will reduce Ransomware protection.   

Hi Gateshead,

Can you provide us the log files from the machine which triggered anomaly to check what could have happened here?

Thanks,

Karthik

Appreciated Karthik,

I've just generated and uploaded a new "send log files" in respect of one of the iDAs which Alerted yesterday.

Stay safe

Still no response to the escallated ticket in spite of several 'chases'. I know that some allowances have to be made for COVID-19 however customer service is not currently very impressive.  

I just had a conversation with the now owning Tier2 and they will be escalating this case to our Engineering team. They do require a few additional items for which they replied within the case. The previous engineer has been in and out of the office so I can understand your frustrations. You always have the option of getting your case rerouted through our support frontline team or you always have the option of Field Escalating the case if you feel the traction isn't there for you. Our Support Management team will review and handle your case appropriately from there.

Procmon has established that when running a Kaspersky AV scan the file attributes are being amended  which results both in an Alert being triggered and the Backup job taking longer as there are more changed files to safeguard. I will have to arrange for a Kaspersky ticket to be opened as I presume there must already be a solution to this issue out there.

So armed with the procmon proof that Kaspersky was changing both the timestamps and attributes on scanned files, the Domain Administrator logged a support ticket with Kaspersky. The outcome is that Kaspersky are claiming that it is "normal practice for a scan to do that". Kaspersky appear to be trying to pass the buck back to CommVault but the File Activity Anomaly Alert is functioning as expected as far as I am concerned. How do I get Kaspersky to reconsider?

Hi,

I dont think this is the right way for an antivirus to change the timestaps on a file. This will affect the backups as well since backups depend on modifications time of a file and if that changes, there is a chance that we could skip files from backup or backup extra data. The anomaly report is also pointing to the same that there is some aomaly happening on the machine. I dont think Commvault can do anything here unless the antivirus fixes itself to not modify the timestamp.

Thanks,

Karthik

Hi,

I dont think this is the right way for an antivirus to change the timestaps on a file. This will affect the backups as well since backups depend on modifications time of a file and if that changes, there is a chance that we could skip files from backup or backup extra data. The anomaly report is also pointing to the same that there is some aomaly happening on the machine. I dont think Commvault can do anything here unless the antivirus fixes itself to not modify the timestamp.

Thanks,

Karthik

don't confuse the honeypot feature with the file change detection. One is a dummy xls sheet in iDataAgent Folder that only triggers alarm if the file content is tampered with (changing access date doesn't trigger alarms on our cells). the other relates to FolderWatcher.db (in contentstore/base for all the places) that monitors changes regularly and attempts to make intelligent deductions. We had to disable the latter part on our file-servers because the database file doesn't seem to have reliable cleanup routine and threatened to fill up the OS-Disk.

Hi,

We have fixed some issues with the pruning logic recently. Which service pack are you currently in. We can provide the update fpr the same.

Thanks,

Karthik 

Hi,

Can you update the client to the latest SP18 hotfix pack which has the fix for the DB size issue you mentioned.

Thanks,

Karthik

I'm running 11.19.6 throughout my CommCell. As it's not my Domain that is triggering (we use McAfee), I do not have direct access to Kaspersky support. I really want to challenge Kaspersky as it surely cannot be "normal practice" for the AV process to change the timestamp and attributes on scanned files. I've also tried to locate Kaspersky configuration documentation to see if this "normal practice" is referenced anywhere without success. It's doing my head in!

Gateshead:

I activated the File Activity Anomaly Report a couple of months ago and strangely I receive reports from 17 Microsoft FileServers every Saturday morning from one particular domain (which accounts for about of half of the servers (all running the same software) - these are a mixture of 2008, 2012 & 2016 Windows OS). I've subsequently used CVIOMonitor.log in an attempt to troubleshoot however when viewing the properties of identified files they are displaying that each file was last amended in 2014. All of the servers are running Kaspersky AV and I can locate a limited number of 4670 – permissions on an object were changed’ entries in some of the server event logs (but not all).

I really don't want to have to disable this feature on these servers as the Alerts is obviously attempting to tell me something but I'm unable to validate the accuracy of the reports.

I am recived everyday this alert. Can some one explain why?

Alert: File Activity Anomaly Alert 

 Type: Operation - Event Viewer Events 

               Detected Criteria: Event Viewer Events 

               Detected Time: Wed May  6 23:39:22 2020 

               CommCell: commserv 

               Event ID: 2608456 

               Monitoring Criteria: (Event Code equals to 7:211|7:212) 

               Severity: Critical 

               Event Date: Wed May  6 23:38:55 2020 

               Program: CVD 

               Client: XXXXXXXXXX 

               Description: Detected file activity anomaly of type [Deleted ] in last 5 minutes. Number of files Modified [319] Deleted [99275] Renamed [346] and Created [219]. Please verify the data on the machine.  

Hi,

You can check the CVIOMonitor.log which tells on which folders we have seen the activity resulting in this anomaly alert. Looks like there are a lot of deletes happening on the machine causing the anomaly.

Thanks,

Karthik

My report is always blank. I assume that is a good thing? :)

Solution eventualy obtianed from Kaspersky Forums:

•　　　　　　　　　　　　　 Oleg Bykov　

•　　　　　　　　　　　　　 Kaspersky Employee

To instruct KSWS to not mess with file times when doing the On-Demand scanning, add this value to the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]

Solution eventualy obtained from Kaspersky Forums:

•　　　　　　　　　　　　　 Oleg Bykov　

•　　　　　　　　　　　　　 Kaspersky Employee

To instruct KSWS to not mess with file times when doing the On-Demand scanning, add this value to the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]

@H_Ali,

What kind of server is it, just a Windows File Server?

David