• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Is ANR3692W messages normal in S.P 8.1.5 and above?

Nicke

ADSM.ORG Senior Member
#1
Hi out there!

I notice a lot of these ANR3692W warnings in the actlog on several Spectrum Protect server instances that use version 8.1.5 or 8.1.6.

On one of these backup servers we do not use de-duplication Container/Directory pools at all but still get these warnings:

Example:
”A client backup anomaly was detected ...”
04/01/19 04:31:33 ANR3692W A client backup anomaly was detected for node
xxx_YYYY, session number 78127. The average number of
backed up bytes is 1028601020, the actual number of
backed up bytes was 2348481452, the average data
deduplication is 98 percent, and the actual data deduplication was 0 percent

Kind Regars,
Nicke
 

RecoveryOne

ADSM.ORG Senior Member
#2
I think this was part of IBM's attempt to help look out for ransomware events which was introduced in 8.1.5 or there abouts if I am not mistaken. At least in my environment the messages are fairly common but I don't do any reporting based on it.
 

marclant

ADSM.ORG Moderator
#3
I think this was part of IBM's attempt to help look out for ransomware events which was introduced in 8.1.5 or there abouts if I am not mistaken. At least in my environment the messages are fairly common but I don't do any reporting based on it.
Yes, that's it.

So, that warning will appear with one of the following conditions:
- the amount of bytes backed up is larger than previous backups, if files were to be infected with malware, that would trigger a change and the file would be backed up
- the dedup ratio is much worse than it was in previous backup, files infected with malware are often encrypted by the malware, and encrypted files don't dedup well

There could be other reasons for backing up more data and/or having a lower dedup ratio that are not malware: ACL change, large directory moved, a large quantity of files were added/modified and they don't dedup well. For that reason, the server is warning you, you can chose to ignore it or check those clients to see if there are concerns or not.
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 12 15.8%
  • Keep using TSM for Spectrum Protect.

    Votes: 48 63.2%
  • Let's be formal and just say Spectrum Protect

    Votes: 9 11.8%
  • Other (please comement)

    Votes: 7 9.2%

Forum statistics

Threads
31,354
Messages
133,546
Members
21,475
Latest member
sag
Top