Is ANR3692W messages normal in S.P 8.1.5 and above?

[Nicke]

Hi out there!

I notice a lot of these ANR3692W warnings in the actlog on several Spectrum Protect server instances that use version 8.1.5 or 8.1.6.

On one of these backup servers we do not use de-duplication Container/Directory pools at all but still get these warnings:

Example:
”A client backup anomaly was detected ...”
04/01/19 04:31:33 ANR3692W A client backup anomaly was detected for node
xxx_YYYY, session number 78127. The average number of
backed up bytes is 1028601020, the actual number of
backed up bytes was 2348481452, the average data
deduplication is 98 percent, and the actual data deduplication was 0 percent

Kind Regars,
Nicke

 

[RecoveryOne]

I think this was part of IBM's attempt to help look out for ransomware events which was introduced in 8.1.5 or there abouts if I am not mistaken. At least in my environment the messages are fairly common but I don't do any reporting based on it.

 

[marclant]

I think this was part of IBM's attempt to help look out for ransomware events which was introduced in 8.1.5 or there abouts if I am not mistaken. At least in my environment the messages are fairly common but I don't do any reporting based on it.

Yes, that's it.

So, that warning will appear with one of the following conditions:
- the amount of bytes backed up is larger than previous backups, if files were to be infected with malware, that would trigger a change and the file would be backed up
- the dedup ratio is much worse than it was in previous backup, files infected with malware are often encrypted by the malware, and encrypted files don't dedup well

There could be other reasons for backing up more data and/or having a lower dedup ratio that are not malware: ACL change, large directory moved, a large quantity of files were added/modified and they don't dedup well. For that reason, the server is warning you, you can chose to ignore it or check those clients to see if there are concerns or not.

 

[Nicke]

Thanks alot for this answer.