#Ransomware false positives.

Anyone else finding it a bit of a slog with false postives work on volumes? It registers lck files on nfs datastores and keep reappearing as a risk. I keep stating 'false positive' but they appear with more lck files at next day. Don't know if this is fixed in 9.15.1 etc. Happening on 9.13.1 versions and 9.14.1

for ARP you really should be on the newest ONTAP version possible. There were so many fixes, especially regarding false positives, in recent patch releases that it really only boils down to "the newer the better"

Make sure you're on current versions, at least 9.13.1P12, 9.14.1P8 or 9.15.1P1, these have most known bugs (which I know of) fixed.

There's a new one currently only fixed in 9.14.1P9: https://mysupport.netapp.com/site/bugs-online/product/ONTAP/JiraNgage/CONTAP-212440

And regarding your lck-file issue, that's this one, not yet fixed currently: https://mysupport.netapp.com/site/bugs-online/product/ONTAP/JiraNgage/CONTAP-264501

If you’re using ARP, you absolutely want to be on the latest versions of ONTAP as that’s how the lists and definitions get updated (for now).

Oh and uncheck this, should reduced your alerts since these .lck files have unique UUIDs at the end so ONTAP thinks these are new file-extensions.
In newer patch-versions this checkbox is disabled by default by the way.

New file-types will still be involved in the detection but there must be a high entropy event at the same time. If you set this checkbox ARP will alert even if there is no high entropy.

Fantastic response guys much appreciated. We are on mainly 9.14.1p8 at present moving to p9 from Tuesday. Will set the config recommendation as well. Noticed latest ontap is currently at 9.15.1p4 but weary being on latest and greatest during the lower end of patch revisions. Will consider next month most probably as it matures.

That's understandable, and we're looking into ways to more dynamically update ARP definitions beyond ONTAP updates. But those are likely going to ... well, I'll stop there. 🙂

https://www.youtube.com/watch?v=4-UBemSfxbo

cough, cough, wink wink Come join us on Tuesday, we'll be doing live Q&A.

it would also be nice if the CLI interface was a little more flexible wrt wildcards... since vserver and volume are required fields and don't accept *, it's pretty time-consuming to find all of the volumes that have a certain setting.

Ohhh yes I agree. Had to disable the option mentioned above on ~250 volumes. Was not fun. Needed some Excel sheet shenanigans 🙄

i usually just create the actual command lines with some ssh and awk foo

would be nice of the arw snapshot policies were per svm also instead of node-based

Would be good to have the option for arp snapshot retention below 3 snapshots as well. We have some aggregates with limited space. Hopefully a distant memory when we move to fabricpool with storagegrid underneath.

Also lck files sounds like you are running ARP on a vmware datastore, which will trigger false "nagatives" because it's not really designed for datastores, more for cifs or nfs volumes with "normal" files on it... (or have I misunderstood this?)

Bringing this thread back from the depths.
With removing the new file type monitoring we got alerts to drop significally, but still autogenerated documents and EDA/SW development files tend to pop up quite frequently, making the NetApp to "cry wolf" time and again.
My question for NetApp/ARP pros: is ARP suggested to be used in work areas or other volumes where data might be rapidly changing or will we be teaching our ARP slowly not to react at anything with almost daily "false positive" checks?