CONTP-355938:报告检测到的可能勒索软件活动、检测到的文件少于20个
问题描述
- EMS报告arw.activity.seen:
[callhome.arw.activity.seen:alert]: Call home message for POSSIBLE RANSOMWARE ACTIVITY DETECTED, Volume: vol1 (UUID: xxxx) in Vserver: svm1 (UUID: xxxx)
- System Manager仅报告检测到6个文件(少于默认值20个)。
- 默认值20正在使用中:
cluster::> security anti-ransomware volume attack-detection-parameters show -vserver svm1 -volume vol1
Vserver Name : svm1
Volume Name : vol1
Is Detection Based on High Entropy Data Rate? : true
Is Detection Based on Never Seen before File Extension? : false
Is Detection Based on File Create Rate? : true
Is Detection Based on File Rename Rate? : true
Is Detection Based on File Delete Rate? : true
Is Detection Relaxing Popular File Extensions? : true
High Entropy Data Surge Notify Percentage : 100
File Create Rate Surge Notify Percentage : 100
File Rename Rate Surge Notify Percentage : 100
File Delete Rate Surge Notify Percentage : 100
Never Seen before File Extensions Count Notify Threshold : 20
Never Seen before File Extensions Duration in Hour : 24