PowerProtect Data Manager 19.10 Cyber Recovery User Guide

Analyzing a copy

Analyze a point-in-time (PIT) copy by using the CyberSense feature in the Cyber Recovery vault.

1. Select Policies from the Main Menu.
2. On the Policies content pane, click Copies to display the list of existing copies.
   You cannot run an analysis concurrently on a copy of the same policy. Otherwise, the Cyber Recovery software displays an informational message and does not create a job. When the initial job is completed, run the analysis on the copy. You can run concurrent analyses on copies of different policies.
3. Select the copy to analyze, and click Analyze.
   If you do not have a valid license for the CyberSense feature, the Analyze button is disabled.
4. From the Application Host list box, select the application nickname for the CyberSense feature.
5. Use the slider next to Advance Options to enable you to set more options.
6. Optionally, select a content format from the drop-down menu.
   Choose from Filesystem, Databases, or Backup. This option is for informational purposes only.
7. Optionally, select the network storage interface through which the CyberSense feature connects to storage.
8. Optionally, enter text files and directories on which you want the Analyze action to run.
   Either:

   • Type the file and directory names, each on a separate line.
   • Click Choose File to select the files and directories that are on the host on which the Cyber Recovery UI is running. Files must be text (.txt) files. This option overwrites the content in the text box with the content in the file.
9. Optionally, enter text files and directories that you want the Analyze action to ignore.
   Either:

   • Type the file and directory names, each on a separate line.
   • Click Choose File to select the files and directories that are on the host on which the Cyber Recovery UI is running. Files must be text (.txt) files. This option overwrites the content in the text box with the content in the file.
10. Click Apply.

    The policy starts a job that you can view on the Jobs page. If the analysis indicates possible malware or other anomalies, the Cyber Recovery software generates an alert and the job status is listed as Critical. Otherwise, the job status is listed as Success.

    On the Copies page, the Last Analysis column of the copy being analyzed shows Analysis in Progress.

11. Optionally, cancel a running analysis, otherwise go to the next step:
    1. Select Jobs from the Main Menu.
    2. Select the running Analyze job.
    3. Click Cancel Job.

    The Cyber Recovery software generates an alert for the cancel request. When the job is canceled, you can immediately start another Analyze job.

12. When the analysis is complete, return to the list of copies under Policies > Copies and click in the copy's row.

    The Last Analysis column shows the results as Suspicious, Good, or Partial.

    If you canceled an analysis job that is in progress or the analysis skips any files, the Last Analysis column shows the result as Partial and the job status is Canceled. An email message and the logs indicate that the analysis job was partially successful.

    If the analysis detects an anomaly, the Last Analysis column shows the result as Suspicious and the job status is Critical. An alert notifies you about the anomalies. Acknowledge the alert, otherwise the report for the next analysis includes the anomaly along with any new anomalies.

    If an Analyze job fails, the Cyber Recovery software generates an alert.