Edit

Share via

Configure advanced ransomware protection for Azure NetApp Files volumes (preview)

Ransomware attacks pose a huge threat to the integrity and reliability of data. Azure NetApp Files' advanced ransomware protection adds a line of defense at the storage level for your data. Advanced ransomware protection uses machine learning to develop a profile of your volumes, alerting you of perceived threats. Advanced ransomware protection is available to Azure NetApp Files at no additional cost.

Advanced ransomware protection builds its profile based on three inputs:

  • File extension types in the volume
  • Data entropy patterns in the volume
  • I/OPS patterns in the volume

With this data, advanced ransomware protection monitors your volumes for patterns and extension types that deviate from observed pattern, marking them as ransomware threats. Advanced ransomware protection builds a profile from machine learning and continues to refine its understanding of your workloads based on usage patterns. Advanced ransomware protection hones this profile based on your inputs, learning as you respond to threats.

Advanced ransomware protection's alert mechanisms enable you to stay vigilant in preventing ransomware attacks on your data and maintaining the resiliency of your workload. If a threat is detected, Azure NetApp Files creates a point-in-time snapshot of the volume. You can then evaluate the threat and, if necessary, restore the volume based on the snapshot, ensuring the continuity and safety of your data.

Register the feature

Advanced ransomware protection is currently in preview. You must register the feature before using it for the first time.

  1. Register the feature:

    Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFAntiRansomware

  2. Check the status of the feature registration:

    Note

    The RegistrationState may be in the Registering state for up to 60 minutes before changing to Registered. Wait until the status is Registered before continuing.

    Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFAntiRansomware

You can also use Azure CLI commands az feature register and az feature show to register the feature and display the registration status.

Enable advanced ransomware protection on a new volume

  1. Follow the workflow to create a new NFS, SMB, or dual-protocol volume.
  2. In the Advanced Ransomware Protection field of the Basics tab, select Enabled.
  3. After you create the volume, you can confirm your settings in the volume overview. If you've enabled ransomware protection, the Advanced Ransomware Protection shows as enabled.

Enable advanced ransomware protection for existing volumes

  1. Navigate to the volume for which you want to enable advanced ransomware protection.

  2. Select Advanced Ransomware Protection under the Storage services menu in the sidebar.

  3. Select Enable Protection

    Screenshot of enabling ransomware protection.

  4. Click Yes to confirm enabling ransomware protection.

    Screenshot to confirm enabling ransomware protection.

  5. Ensure that the protection state is Enabled.

    Screenshot of the state of ransomware protection.

Respond to ransomware threats

  1. Select Advanced Ransomware Protection under the Storage services menu in the sidebar.

  2. Suspected attacks are displayed under Active threats. Expand each threat to view the suspect files.

    Screenshot of ransomware threats.

  3. If you know the files are not an active threat, mark the active threat as a False positive.

    If you believe the files are a threat, select Threat. You can then revert the volume based on the last snapshot captured before the threat.

  4. Once you've resolved the threat, you can view archived ransomware reports on the same page. Reports are archived for 30 days.

Pause ransomware protection

  1. Navigate to the volume for which you want to pause ransomware protection. Select Advanced Ransomware Protection under the Storage services menu in the sidebar.
  2. Select Pause Protection.
  3. To enable protection again, return to the volume’s Advanced Ransomware Protection menu then select Resume Protection.

Disable ransomware protection

  1. Navigate to the volume for which you want to pause ransomware protection. Select Advanced Ransomware Protection under the Storage services menu in the sidebar.
  2. Select Disable Ransomware Protection.
  • Last updated on