Using GuardMode Scan

PreviousImmutability in vStor NextUsing Multipath Storage

Last updated 8 months ago

Initiating a GuardMode Scan

To begin a GuardMode scan on a mounted filesystem:

In the volume view of your mounted filesystem, click on the GuardMode Scan tab.

Click the Scan with GuardMode button to start the scan.

Now, the table will display detected suspicious files in real-time.

Tip. Always scan mounted snapshots before restoring data to production environments. This best practice helps prevent the introduction of compromised data into your systems.

Understanding Scan Results

The scan results table provides comprehensive information about potentially compromised files. It consists of four columns:

Suspicious File: Lists the path and name of files flagged during the scan.

Entropy Result: Indicates the level of randomness in the file's content, which can be a sign of encryption.

Magic Number Result: Shows whether the file's signature matches its expected file type.

Matched Blocklist Pattern: Displays any blocklist patterns that the file matched against.

Tip. Files with high entropy, mismatched magic numbers, or those matching blocklist patterns are more likely to be compromised. Regularly update your GuardMode blocklist to stay protected against the latest threats.

Interpreting and Acting on Scan Results

If GuardMode Scan detects suspicious files in a snapshot:

Review the scan results carefully.

Understand that a compromised snapshot can indicate an infected system at the time the snapshot was taken.

Do not restore from this snapshot. Instead, navigate to earlier snapshots and scan them with GuardMode.

Continue this process until you find a clean snapshot without any suspicious files.

Use the earliest clean snapshot for your restoration to ensure you're reverting to a state before the infection occurred.