vStor 4.12 Documentation
  • Welcome to vStor!
  • Introduction
  • Installation
    • Deploying Catalogic vStor on Physical Appliances
    • Deploying Catalogic vStor Virtual Appliance for VMware
    • Deploying Catalogic vStor Virtual Appliance for Microsoft Hyper-V
    • Required Ports for Catalogic vStor
    • Updating Catalogic vStor
  • Quick Start
    • Catalogic vStor for VMware
    • Catalogic vStor for Hyper-V
  • Basic Configuration
    • Initializing vStor
    • Adding Catalogic vStor Node to Catalogic DPX
      • Using vStor API Keys with Catalogic DPX
    • Configuring vStor System Settings
    • Configuring vStor Network Settings
    • Backing up Configuration Settings of Catalogic vStor
    • Restoring Configuration Settings of Catalogic vStor
  • Storage Management
    • Adding Disks
    • Managing Storage Pools
    • Managing Volumes
      • Migrating Volumes
      • Creating Volume Snapshots
      • Using vStor Autosnapshot
    • ZFS Compression and Deduplication
    • Managing Shares
    • Managing Hosts for LUN Volumes
    • Using vStor Snapshot Explorer
  • Data Protection
    • Catalogic vStor Backup and Recovery
    • vStor Partnerships
      • Creating Replication Groups
      • Establishing Cross-Version Partnerships
    • Enabling Volume Encryption
    • Immutability in vStor
    • Using GuardMode Scan
    • Using Remote Keystore
  • Advanced Configuration
    • Using Multipath Storage
    • Managing Certificates
    • Adding Encryption URLs
    • Managing MinIO Buckets
    • Assigning an E-mail to a vStor Account
    • Managing vStor User Accounts
    • Using Multifactor Authentication (MFA)
  • vStor Command Line Interface
    • Catalogic vStor Server CLI Overview
  • Best Practices
    • Hardware Configurations: Best Practices
    • Data Backup: Best Practices
    • Data Archiving: Best Practices
    • Backup Storage: Best Practices
    • Frequently Asked Questions: Best Practices
  • Technical Support
Powered by GitBook
On this page
  • Initiating a GuardMode Scan
  • Aborting a GuardMode Scan
  • Automated GuardMode Scan
  • Understanding Scan Results
  • Interpreting and Acting on Scan Results
  • Viewing GuardMode Scan History
  1. Data Protection

Using GuardMode Scan

PreviousImmutability in vStorNextUsing Remote Keystore

Last updated 3 months ago

GuardMode Scan is a powerful feature that allows you to scan mounted filesystems for potential ransomware infections or data encryption. This tool is particularly useful when you want to ensure the integrity of your data before restoring it to production environments.

See also. vStor 4.12 is bundled with GuardMode Agent 2024.2. For more information, see documentation.

Initiating a GuardMode Scan

To begin a GuardMode scan on a mounted filesystem:

  1. In the volume view of your mounted filesystem, go to the GuardMode Scan tab.

  1. Click the Scan with GuardMode… button.

  2. In the Scan with GuardMode confirmation dialog, click Scan. The scan will start. Note that this action may take some time depending on the file system size.

Aborting a GuardMode Scan

To stop the scan before it is completed:

  1. During a GuardMode scan, click the Stop scan button.

  1. In the confirmation dialog, click Stop scan. The scan will be stopped.

  1. To restart the GuardMode scan, click the Rescan button.

Tip. Always scan mounted snapshots before restoring data to production environments. This best practice helps prevent the introduction of compromised data into your systems.

Automated GuardMode Scan

The automated GuardMode scan feature is controlled at the volume level. It can be enabled or disabled by the admin user and any standard user with pool-wide privileges. When enabled, all newly created filesystem snapshots on the volume will be scanned automatically when detected.

Note. Snapshots existing on the volume before the automated GuardMode scan was enabled will not be scanned automatically.

To enable the automated GuardMode scan:

  1. In the volume view, go to the Details tab.

  2. Switch on the Automatically scan snapshots with GuardMode toggle. The success message will confirm the feature is now enabled. The scan will use default GuardMode settings.

Understanding Scan Results

The scan results table provides comprehensive information about potentially compromised files. It consists of four columns:

  1. Suspicious File: Lists the path and name of files flagged during the scan.

  2. Entropy Result: Indicates the level of randomness in the file's content, which can be a sign of encryption.

  3. Magic Number Result: Shows whether the file's signature matches its expected file type.

  4. Matched Blocklist Pattern: Displays any blocklist patterns that the file matched against.

Tip. Files with high entropy, mismatched magic numbers, or those matching blocklist patterns are more likely to be compromised. Regularly update your GuardMode blocklist to stay protected against the latest threats.

Interpreting and Acting on Scan Results

If GuardMode Scan detects suspicious files in a snapshot:

  1. Review the scan results carefully.

  2. Understand that a compromised snapshot can indicate an infected system at the time the snapshot was taken.

  3. Do not restore from this snapshot. Instead, navigate to earlier snapshots and scan them with GuardMode.

  4. Continue this process until you find a clean snapshot without any suspicious files.

  5. Use the earliest clean snapshot for your restoration to ensure you are reverting to a state before the infection occurs.

Viewing GuardMode Scan History

You can view the details of previous GuardMode scans.

  1. In the Storage view, select a volume and go to the Snapshots tab.

  1. The GuardMode Scan History dialog shows scan dates for all GuardMode scans performed on the selected snapshot. To see more details, click the Show scan result button.

  1. View the detailed GuardMode scan history for the selected snapshot.

Click the icon next to the snapshot name or select Shot GuardMode scan history from the More actions menu.

GuardMode 2024.2