Skip to main content
All CollectionsCyber ResilienceRansomware RecoveryThreat Hunting
Troubleshooting and FAQ's for Threat Hunting
Troubleshooting and FAQ's for Threat Hunting
Updated over a month ago

The following article provides information about FAQ's and troubleshooting Threat Hunting issues.

What license is required for Threat Hunting?

Threat Hunting is available with the Premium Security SKU license.

For which workloads is Threat Hunting supported?

This capability is supported only for VMware-backed-up resources.

Which operating systems for VMware are supported for Threat Hunting?

Windows and Linux operating systems are supported. For more details, see Supported workloads for Threat Hunting.

How to use the Threat Hunting feature?

It just takes 4 simple steps to use this feature:

Step 1: Create a new Threat Hunt to find backed-up suspicious or malicious data.

Step 2: Monitor Threat Hunt jobs from the Threat Hunting dashboard. Use the Download Report option to analyze the scan results reported in detail.

Step 3: Auto-quarantine impacted snapshots to isolate impacted snapshots by default to prevent accidental restores and reinfection.

Step 4: View the Threat Hunt results using the Threat Hunting Dashboard page.

What scan parameters are used for Threat Hunting?

File hashes and file extensions scan parameters or Indicators of Compromise (IOCs) are used to search and find malicious files within the backed up data. For more information, see Create a New Threat Hunt.

What do we mean by predefined file hashes?

Predefined file hashes are SHA1 values that you have already provided in the Malicious File Scan Settings for Malicious File Scan feature.

How much time does a Threat Hunting job take to complete?

The time taken to complete a Threat Hunt job depends on multiple variables, such as the Threat Hunt Scan Criteria (number of hashes, number of extensions), resources selected (number of VMs, number of backups, size of the data), and the number of matches against the scan criteria. For a typical clean scenario, the time taken is around 10-15 minutes, but it may be higher in a few corner cases.

What is the file size limit for scan using file hash scan criteria?

Threat Hunting using file hashes are supported for files up to 100 MB in size. Some examples of files beyond 100 MB file sizes are log, evtx, evt, db, sqlite, frm, idb, mdf, pst, and ost.

What are the prerequisites for Threat Hunting for VMware?

  • Ensure that the backup is successfully completed for the required resources on which you want to run the Threat Hunt job. After the successful backup, the data is accessed for Threat Hunting readiness.

  • At least 1% of the total resources must be Threat Hunt ready to create a Threat Hunt job for them.

  • For VMware resources Threat Hunting: The VMware backup proxy version installed must be 7.0.2 or higher.

  • For backup policies with CloudCache configured, only the data synced to the Druva cloud is available for Threat Hunting. Ensure the data is synced.

Why do I see the error file hashes skipped from the scan?

This error occurs when no corresponding SHA1 values are found for the files with SHA-256/MD5 file hashes as scan input criteria. Click Download List to view the skipped SHA-256/MD5 file hashes.

Click Download List to view the skipped SHA-256/MD5 file hashes.

Action Required: To resolve this issue, provide the SHA1 file hash as input.

Why does the threat hunt job fail?

Threat Hunt job may fail due to any one of the following reasons:

  • You provided only file hashes as the scan criteria. No corresponding SHA1 values were found for the files with SHA-256/MD5 file hashes as scan input criteria.

Action Required: To resolve this issue, provide an alternative scan criteria or the SHA1 file hash as input.

  • An internal error occurred. Try again after some time

Did this answer your question?