Using GuardMode Scan

GuardMode Scan is a powerful feature that allows you to scan mounted filesystems for potential ransomware infections or malicious data encryption. This tool is particularly useful when you want to ensure the integrity of your data before restoring it to production environments.

Initiating a GuardMode Scan

To begin a GuardMode scan on a mounted filesystem:

1. In the volume view of your mounted filesystem, go to the GuardMode Scan tab.

1. Click the Scan with GuardMode… button to launch the Scan with GuardMode dialog window.

1. Select scan scope.

   • Select Full to perform a full GuardMode scan of the mounted file system.

   • Select Incremental since last scan to scan only files that were not there during the last scan.

   • Select Incremental after a specified date to include only files that were modified after that time. GuardMode will look into the files’ modified date attribute to determine which files should be scanned.

1. Click Scan. The GuardMode scan will start. Note that this action may take some time, depending on the file system size.

Aborting a GuardMode Scan

To stop the scan before it is completed:

1. During a GuardMode scan, click the Stop scan button.

1. In the confirmation dialog, click Stop scan. The scan will be stopped.

1. To restart the GuardMode scan, click the Rescan button.

Automatic GuardMode Scan

The automatic GuardMode scan feature is controlled at the volume level. It can be enabled or disabled by the admin user and any standard user with pool-wide privileges. When enabled, all newly created filesystem snapshots on the volume will be scanned automatically when detected.

To enable the automated GuardMode scan:

1. In the volume view, go to the Details tab.

2. Switch on the Automatically scan snapshots with GuardMode toggle. The success message will confirm the feature is now enabled. The scan will use default GuardMode settings.

Understanding Scan Results

The scan results table provides comprehensive information about potentially compromised files. It consists of four columns:

1. Suspicious File: Lists the path and name of files flagged during the scan.

2. Entropy Result: Indicates the level of randomness in the file's content, which can be a sign of encryption.

3. Magic Number Result: Shows whether the file's signature matches its expected file type.

4. Matched Blocklist Pattern: Displays any blocklist patterns that the file matched against.

Interpreting and Acting on Scan Results

If GuardMode Scan detects suspicious files in a snapshot:

1. Review the scan results carefully.

2. Understand that a compromised snapshot can indicate an infected system at the time the snapshot was taken.

3. Do not restore from this snapshot. Instead, navigate to earlier snapshots and scan them with GuardMode.

4. Continue this process until you find a clean snapshot without any suspicious files.

5. Use the earliest clean snapshot for your restoration to ensure you are reverting to a state before the infection occurs.

Viewing GuardMode Scan History

You can view the details of previous GuardMode scans.

1. In the Storage view, select a volume and go to the Snapshots tab.

2. Click the icon next to the snapshot name or select Show GuardMode scan history from the More actions menu.

1. The GuardMode Scan History dialog shows scan dates for all GuardMode scans performed on the selected snapshot. If a scan has found suspicious files, you can download the GuardMode Scan results as a .CSV file, using the download icon in the rightmost column.