Dell PowerProtect Cyber Recovery 19.13 Product Guide

Analyzing a copy

Analyze a point-in-time (PIT) copy by using the CyberSense in the Cyber Recovery vault.

1. Select Policies from the Main Menu.
2. On the Policies content pane, click Copies to display the list of existing copies.
   You cannot run an analysis concurrently on a copy of the same policy. Otherwise, the Cyber Recovery software displays an informational message and does not create a job. When the initial job is completed, run the analysis on the copy. You can run concurrent analyses on copies of different policies.
3. Select the copy to analyze, and click Analyze.
   If the CyberSense host has not been added to the Cyber Recovery vault, the Analyze button is disabled. If you do not have a valid CyberSense license, the Analyze button is enabled, but the job fails.
4. From the Application Host list box, select the application nickname for the CyberSense.
5. Use the slider next to Advanced Options to set more options.
6. Optionally, select a content format from the drop-down menu.
   Choose from:

   • Filesystem—For backups performed without backup software and by using NFS, CIFS, BoostFS, and so on
   • Databases—For database client-direct backups to the DD system using DD Boost for Enterprise Applications, DD Boost for Microsoft Applications, and so on
   • Backup—For database client-direct backups to the DD system using DD Boost for Enterprise Applications, DD Boost for Microsoft Applications, and so on.

   This information is included as part of the CyberSense report for informational purposes.
7. Optionally, if the CyberSense host is a CyberSense version earlier than 8.2, select the network storage interface through which the CyberSense feature connects to storage.
   If the CyberSense host is running version 8.2 or later, this option is not displayed.
8. Optionally, enter text files and directories on which you want the Analyze action to run.
   Either:

   • Type the file and directory names, each on a separate line.
   • Click Choose File to select the files and directories that are on the host on which the Cyber Recovery UI is running. Files must be text (.txt) files. This option overwrites the content in the text box with the content in the file.
9. Optionally, enter text files and directories that you want the Analyze action to ignore.
   Either:

   • Type the file and directory names, each on a separate line.
   • Click Choose File to select the files and directories that are on the host on which the Cyber Recovery UI is running. Files must be text (.txt) files. This option overwrites the content in the text box with the content in the file.
10. Click Apply.

    An informational message indicates that an analyze job is started and the Last Analysis column shows Analysis in Progress. To view the job's progress, click the link in the informational message or click Jobs > Protection Jobs > Running from the Main Menu.

    If the analysis indicates possible malware or other anomalies, the Cyber Recovery software generates an alert, the job status is displayed as Complete w/Exceptions, and the last analysis status for the copy is displayed as Suspicious. Otherwise, the job status is displayed as Successful.

    NOTE:If you started an Analyze action on a copy, and then start a Secure Copy Analyze action on the copy, the Sync, Copy, and Lock actions complete successfully. However, if the original Analyze action has not completed, the Analyze step of the Secure Copy Analyze action fails. Wait until the original Analyze action has completed and then run the Analyze action on the new copy manually or just let the next job run.
11. Optionally, cancel a running analysis, otherwise go to the next step:
    1. Click Jobs > Protection Jobs from the Main Menu.
    2. Click the Running tab.
    3. Click the radio button for the running Analyze job, click Cancel, and confirm the request.

       An informational message indicates that the job will be canceled and the job status shows as Canceling. The Status pane on the dashboard status also shows the job status and progress percentage. The Cyber Recovery software generates an event for the cancel request.

       When the job is canceled, you can immediately start another Analyze job.

    The Cyber Recovery software generates an event for the cancel request. When the job is canceled, you can immediately start another Analyze job.

    NOTE:The job stops after approximately 10 minutes, however, it might take longer.
12. When the analysis is complete, return to the list of copies under Policies > Copies to view the copy details.

    The Last Analysis column shows the results as Suspicious, Good, or Partial. The Details pane for the copy includes an Analysis Details section. If you run an Analyze operation using CyberSense version 8.0 or later, and the result is Suspicious, the Details pane provides a link to the analyze dashboard on the CyberSense host.

    If you canceled an analysis job that is in progress or the analysis skips any files, the Last Analysis column shows the result as Partial and the job status is Canceled. An email message and the logs indicate that the analysis job was partially successful.

    If the analysis detects an anomaly, the Last Analysis column shows the result as Suspicious and the job status is Failed. An alert notifies you about the anomalies. Acknowledge the alert, otherwise the report for the next analysis includes the anomaly along with any new anomalies.

    If an Analyze job fails, the Cyber Recovery software generates an alert.