Using GuardMode Scan
Last updated
Last updated
GuardMode Scan is a powerful feature that allows you to scan mounted filesystems for potential ransomware infections or data encryption. This tool is particularly useful when you want to ensure the integrity of your data before restoring it to production environments.
See also. vStor 4.12 is bundled with GuardMode Agent 2024.2. For more information, see GuardMode 2024.2 documentation.
To begin a GuardMode scan on a mounted filesystem:
In the volume view of your mounted filesystem, go to the GuardMode Scan tab.
Click the Scan with GuardMode… button.
In the Scan with GuardMode confirmation dialog, click Scan. The scan will start. Note that this action may take some time depending on the file system size.
To stop the scan before it is completed:
During a GuardMode scan, click the Stop scan button.
In the confirmation dialog, click Stop scan. The scan will be stopped.
To restart the GuardMode scan, click the Rescan button.
Tip. Always scan mounted snapshots before restoring data to production environments. This best practice helps prevent the introduction of compromised data into your systems.
The automated GuardMode scan feature is controlled at the volume level. It can be enabled or disabled by the admin user and any standard user with pool-wide privileges. When enabled, all newly created filesystem snapshots on the volume will be scanned automatically when detected.
Note. Snapshots existing on the volume before the automated GuardMode scan was enabled will not be scanned automatically.
To enable the automated GuardMode scan:
In the volume view, go to the Details tab.
Switch on the Automatically scan snapshots with GuardMode toggle. The success message will confirm the feature is now enabled. The scan will use default GuardMode settings.
The scan results table provides comprehensive information about potentially compromised files. It consists of four columns:
Suspicious File: Lists the path and name of files flagged during the scan.
Entropy Result: Indicates the level of randomness in the file's content, which can be a sign of encryption.
Magic Number Result: Shows whether the file's signature matches its expected file type.
Matched Blocklist Pattern: Displays any blocklist patterns that the file matched against.
Tip. Files with high entropy, mismatched magic numbers, or those matching blocklist patterns are more likely to be compromised. Regularly update your GuardMode blocklist to stay protected against the latest threats.
If GuardMode Scan detects suspicious files in a snapshot:
Review the scan results carefully.
Understand that a compromised snapshot can indicate an infected system at the time the snapshot was taken.
Do not restore from this snapshot. Instead, navigate to earlier snapshots and scan them with GuardMode.
Continue this process until you find a clean snapshot without any suspicious files.
Use the earliest clean snapshot for your restoration to ensure you are reverting to a state before the infection occurs.
You can view the details of previous GuardMode scans.
In the Storage view, select a volume and go to the Snapshots tab.
The GuardMode Scan History dialog shows scan dates for all GuardMode scans performed on the selected snapshot. To see more details, click the Show scan result button.
View the detailed GuardMode scan history for the selected snapshot.
Click the icon next to the snapshot name or select Shot GuardMode scan history from the More actions menu.
