How do I "clear an attack"

[MikeSchoenfelder-MIPS]

Page URL

https://docs.netapp.com/us-en/ontap/anti-ransomware/respond-abnormal-task.html

Page title

Respond to abnormal activity

Summary

Problem: I have many ARP snapshots that are false positives.
What I want: I want to know how to get rid of them. I get an error when I try to delete the snapshots.

I have been combing through the NetApp documentation on how to "clear the attack". This page is the closest one I have found, yet it doesn't give me the answer.

Sometimes I see "View suspected file type" under "Abnormal volume activity detected ", but this visualization either takes a few seconds to show up (no "waiting" indication) or never appears.

But what about when the ARP is fired due to entropy or file deletions or any of the other situations that can cause an ARP snapshot? How do I clear those? I see where I can tune those settings to avoid future issues, but how can I clear that event so that the OS will either automatically delete the ARP snapshot or allow me to?

The only workaround I have seen is to turn off ARP and then delete the snapshots. Is this the expected procedure?

I am using ONTAP 9.14.1P9, but I see no indication that later releases have what I am looking for.

I know this isn't the forum for feature requests, but I will offer them anyway:

1. One click for ARP response: "No, this isn't ransomware attack" and then the system automatically updates all its settings and deletes the ARP snapshots
2. An "alert only" mode where we get an alert, but no ARP snapshots are made. We already have snapshots where we want them and don't have snapshots on scratch data. However, my volumes are continually getting filled with ARP snapshots that I can't delete and this is causing disruptions for my users. I want the AI to alert me, but I want the option to just take the volume offline or delete the data since it is data that only has ephemeral value and where deletion, not restoration is the preferred response to ransomware attack. In other words, yes I want to know if my company is being attacked on any volume, but I want a per-volume choice on what actions the ARP takes wrt snapshots.

Public issues must not contain sensitive information

• This issue contains no sensitive information.

[netapp-dbagwell]

@MikeSchoenfelder-MIPS thanks. I'll address your use issues with the team. I will also pass on your feature requests.

[netapp-dbagwell]

@MikeSchoenfelder-MIPS thanks for the feedback and sorry for the response delay. We've made revisions to the ARP section of the documentation to try to make the content clearer. ARP snapshots are protected for a default period and that's probably why you weren't able to delete them manually. We've added some snapshot info to the topic you referenced. Clearing attacks is done through either System Manager/CLI commands. We've added some additional content in the steps to clarify what happens to snapshots and clearing. You don't need to turn off ARP to delete snapshots after their retention period. Based on your response, it seems like you might have found content on how to adjust snapshot settings. We hope the changes in content address similar concerns in the future.