Skip to main content
Start a Conversation

Solved!

Go to Solution

Steve_zvc

6 Posts

510

September 20th, 2022 07:00

.info files created on root of server volumes

On our file servers we use File Server resource manager with File type screening for Any Ransomware.  This picks up various file extensions and file names that have been picked up as risky and blocks them if an account tries to move a file of that type on that server and then blocks that account from accessing shares.

We keep getting alerts that a .info file has been blocked which appears to be in relation to Networker.

Body: User NT AUTHORITY\SYSTEM attempted to save D:\DellEMC_VolumeID_D%3A%5C.info to D:\ on the Server_01 server. This file is in the "Anti-Ransomware File Group" file group, which is not permitted on the server.

I'm struggling to find anything that tells me what this file is required for.  It doesn't appear on all backed up volumes but is on quite a lot.

I could add an exception on the FSRM but it would be good to understand what this file is for and if it is actually required.  If it isn't, could I stop it getting created.

barry_beckers

393 Posts

September 22nd, 2022 06:00

These files with "DellEMC_VolumeID*info" come from the NW FLR agent:

as stated in the nw19.5 admin guide and vmware integration guides:
"NOTE: vProxy FLR Agent creates and maintains a file on each discovered file system (volume) that has information about the volume’s original path. The file name is in the form “DellEMC_VolumeID_path.info”, where the path is in URL-encoded form of the last discovered path of the file system. These files are used during the FLR mount operation and are recreated again if they are found missing."

So if you'd want any files to be excluded from any FSRM  checks, don't exclude them based on extention only, but rather by name. Maybe something like "DellEMC_VolumeID_*.info" so that they still might complain about any other .info file? So comes from the NW vmware vproxy based backup and in this case recovery using FLR (file level recovery).

bingo.1

2.4K Posts

September 20th, 2022 14:00

It is not easy to answer this question, most likely due to the fact that the experience with FSRM seems to be rare. I personally did not encounter any installation during my years as administrator.

Per se, a file with the name ".info" which you can easily create, will be treated by the NW software like any other file. So the message you see is obviously generated by FSRM itself.

I found a link which contains the FSRM file extension list: https://fsrm.experiant.ca/

As you can see, there are thousands of file extensions listed that are blocked - .info is one of them. This indicates my assumption that FSRM is complaining about it.

Whether it is important or not - who knows? - It would be good to find out which software generates these files. Then one could draw the necessary consequences. Here is another link which might help: https://fileinfo.com/extension/info

 

Steve_zvc

6 Posts

September 22nd, 2022 08:00

Thanks Barry, that looks to be the answer.

That makes sense that I've only had those files created on a few servers where I've installed and run FLR.  I should be able to add an exception like you've suggested

View More

View All

No Events found!

Top