Overview
Curated Snapshot is a unique version of snapshot that is a collection of the latest, safest, and most secure versions of files in a single snapshot. The Curated Snapshot is created by processing files from multiple snapshots within a specified date range. The files are processed and scanned for the following Indicators of Compromise:
Anti-Virus
File hash match
File extensions exclusion and encryption check
After the files folders are scanned for all the above-mentioned indicators, a Curated Snapshot is created for that server (File System or NAS) and is available for restore from the respective restore wizards. For more information, see,
β Important
By default, Curated Snapshot is the selected snapshot available for restoring server data if the Ransomware Recovery service is enabled for your organization and administrators have created a Curated Snapshot for servers (File Server or NAS).
Now, that you know what is Curated Snapshot, let us understand the workflow of how to use them.
Create a Curated Snapshot
β Important
You can create only one active Curated Snapshot per Backup Set per workload at a given point in time.
Procedure
Log in to Druva Cloud Platform (DCP) Console.
On the DCP Console dashboard, under Cyber Resilience, click the Ransomware Recovery service.
On the left pane, click Curated Snapshots > Create Curated Snapshots > For File Server and NAS. The Resources page appears.
Search for the servers for which you want to create Curated Snapshot. You can search for servers using either or a combination of the Organizations, Workload Type, and Workload Name.
Select the servers for which you want to create the snapshots and click Next.
On the Snapshot Details page, enter the Snapshot Parameters for the creation of the snapshot.
Click Submit. A Malicious File Scan or restore scan job is executed for all the snapshots for the mentioned date range. After the scan is complete, the most recent cleanest versions of the files are encapsulated to generate and create a single Curated Snapshot.
If an active Curated Snapshot already exists for a Backup Set for a workload, you will have the following options:
Create a new one and delete the existing one
OR
Keep the existing snapshot
Select the option as per your organization's requirements and click Continue.
You can view the status of Curated Snapshot creation on the Jobs page.
Snapshot Details page
The following table details the Snapshot Parameters for creating a Curated Snapshot.
Field | Description |
Date Range | Define a date range from which you want the snapshots to be processed and scanned for creating a Curated Snapshot.
Start Date: Select a Start Date.
End Date: Automatically calculated. The Date displayed here can either be the current date or 180 days from the start date, whichever is the nearest. The maximum limit for the date range is 180 days.
For example, if today's date is Aug 5, 2021. You select July 1, 2021, as the start date. In this case, 180 days is a futuristic date. Hence, the end date will be today's date/current date i.e. Aug 5, 2021, 23:59:59 PM. |
Retain Snapshot for | The number of days until which the Curated Snapshot will be retained and can be restored.
By default, the retention period is 15 days. The maximum limit for retention is 30 days. |
Indicators of Compromise | Define the indicators by which you want the snapshots should be scanned for malicious data.
By default, files within the snapshots are scanned for encryption checks, anti-virus, and pre-defined file hash matches.
Select the Exclude file extensions checkbox, and specify the file extensions to exclude those files from Curated Snapshot.
By default, a case-insensitive file extension match is used for file extension exclusion comparison.
Toggle the button to enable and allow case-sensitive comparison. |
Know how the Curated Snapshot is created
Here's an example that explains how the Curated Snapshot is created based on the defined Date Range and Indicators of Compromise (Anti-Virus, File Hash match, file extensions exclusion, or encryption) encountered or detected.
Resource Name: WINS3RV3R-KA1W (File Server)
Resource Type: File Server
Snapshot - Create date | Version | Files | Action |
Snapshot 1 - Aug 1, 2021 | 16 | file 1, file 2, file 3 | Files added |
Snapshot 2 - Aug 1, 2021 | 17 | file 1, file 2, file 3 | No change |
Snapshot 3 - Aug 2, 2021 | 18 | file 1, file 2, file 3, file 4, file 5 | Added: file 4, file 5, and file 6
Modified: file 1 |
Snapshot 4 - Aug 2, 2021 | 19 | file 1, file 3, file 4, file 5 | Deleted: file 2. |
For the creation of a Curated snapshot the maximum date range limit is 180 days. Assume that today's date is Aug 5, 2021.
if you select Jan 1, 2020 as the start date, the end date will be Jan 1, 2020, +180 days.
If you select July 1, 2021 as the start date, +180 days is a futuristic date. Therefore, the current date/today's date is considered as the end date. i.e Aug 5, 2021, 23:59:59.
In the case of the above example, if you select July 1 as the Start Date, the End Date will be Aug 5, 2021, 23:59:59. Once the date range is defined, the scan job is executed on Snapshot versions 16, 17, 18, and 19.
During the scan, file hash match is detected for file 1, and file extensions exclusion is detected for file 5 in version 18. The file 1 in version 18 is skipped from Curated Snapshot.
The scan is then performed on a previous version (version 16) that contains file 1. If the scan does not detect any Indicators of Compromise that indicate any malicious attacks on the file, then, file 1 from version 16 is considered for the creation of Curated Snapshot. Also, file 5 will not be included in the Curated Snapshot.
So, the final Curated Snapshot created will include:
Version 16: file 1, file 2,and file 3
Version 18: file 4 and file 6
Verify Curated Snapshot Job status
Whenever you submit a request for Create Curated Snapshot, a scan job is initiated. You can monitor and manage all the scan jobs from the Jobs tab . TheLast Updated at timestamp is displayed beside the page heading to help you understand when the details of the page were last updated.
Only after the job is complete, the Curated Snapshot gets created. You can view a summary of the scan job from the Jobs page.
β Important
For Curated Snapshot, jobs are retained for 180 days.
You can cancel an ongoing job if you initiated the request by mistake or no longer need to create Curated Snapshot.
Click the Job ID to view the following job details:
Fields | Description |
Job Details section | |
Job ID | The unique ID of the scan job. |
Resource Name | The name of the data source. |
Resource Type | The type of the data source. Example: File Server |
Workload Name | The name of the workload. |
Created By | The name of the administrator who initiated the job. |
Start Time | The time when the scan job was initiated. |
End Time | The time when the scan job finished. If the job ended prematurely due to cancelation, or due to failure, this field displays that timestamp. |
Organization Name | The name of the organization. |
Snapshot Creation Status | The current status of the job. It can be any of the following:
|
Curated Snapshot section | |
Snapshot | The name of the snapshot. |
Size | The size of the snapshot. |
Date Range | The start and end date selected for the creation of the snapshot. |
Retained Till | The date and timestamp when the snapshot will expire. |
#Files Included | The count of files included for snapshot creation. |
Snapshot Availability | Status of the snapshot which can be any one of the following:
|
You can download the report to view the details of the scanned files.
Download Report
On the Jobs details page, click Download Report to download the report of the Curated Snapshot to view details of the malicious files within this snapshot. The report is downloaded in <Druva_CuratedSnapshot_JobID_<JobIDnumber>_<curatedsnapshotname>.csv.zip format. For example, <Druva_CuratedSnapshot_JobID_45_Sep_16_2021_12_02>.csv.zip .
Expand the zip folder to view the CSV file. The CSV file provides the following details.
Field | Description |
File Name | Name of the scanned file. |
File Type | Type of file. It can be either a file or folder. |
Path | Location of the file. |
Backup Folder | The folder from which the file is created. |
Modified time | Date and timestamp when modifications were made to the file. This is the administrator's timezone.
For example, Jun 23, 2020 15:04. |
Is Skipped from Curated Snapshot | Displays "True" if the file was skipped for Curated Snapshot.
Displays "False" if the file was not skipped from Curated Snapshot. |
Reason to skip from Curated Snapshot | Details of why the file was skipped. |
Snapshot Name | Name of the snapshot from which the file is used for the creation of Curated Snapshot.
For example, Tue Aug 31 12:23:43 2021. |
Delete Snapshot
β Important
You cannot delete a snapshot that is a part of active Curated Snapshot.
You can delete the snapshots that are no longer required.
On the Curated Snapshot dashboard, select the snapshot that you want to delete.
On the Delete Snapshot confirmation pop-up, specify the reason for deletion (the reason is mandatory with a character limit between 10-150) and then click Delete. Snapshot once deleted cannot be retrieved. The reason for deletion will be captured in the Audit Trail for auditing purposes.
View and Restore data from Curated Snapshot
If you are reading this section, that means Curated Snapshot is created successfully and is listed in the Curated Snapshots > Snapshot tab.
For File Server
Procedure
On the Curated Snapshots> Snapshot tab, click on the snapshot for the File Server for which you want to view and restore data. You will be redirected to the File Backup Sets > Backups page.
The Curated Snapshot card is displayed and you can restore data from this snapshot. For more information, see File Servers.
π‘ Tip
The curated snapshot icon is displayed beside the snapshots that are used for creating Curated Snapshot.
For NAS
Procedure
On the Curated Snapshots > Snapshot tab, click on the snapshot for the NAS device for which you want to view and restore data. You will be redirected to the Backup Sets > Backups page.
The Curated Snapshot card is displayed and you can restore data from this snapshot. For more information, see NAS.
π‘ Tip
The curated snapshot is displayed beside the snapshots that are used for creating Curated Snapshot.
π Note
β Restore from Curated Snapshot is supported only for Hot and Warm snapshots.
By default, Curated Snapshot is the selected snapshot available for restoring server data if the Ransomware Recovery service is enabled for your organization and administrators have created a Curated Snapshot for servers (File Server or NAS).
β Important
You cannot delete a snapshot that is a part of active Curated Snapshot.