Skip to main content

How can we help you?

Druva Documentation

Curated Snapshot for servers

Overview

Curated Snapshot is a unique version of snapshot that is a collection of the latest, safest, and most secure versions of files in a single snapshot. The Curated Snapshot is created by processing files from multiple snapshots within a specified date range. The files are processed and scanned for the following Indicators of Compromise:

  • Anti-Virus 
  • File hash match
  • File extensions exclusion and encryption check

After the files folders are scanned for all the above-mentioned indicators, a Curated Snapshot is created for that server (File System or NAS) and is available for restore from the respective restore wizards. For more information, see,

By default, Curated Snapshot is the selected snapshot available for restoring server data if the Ransomware Recovery service is enabled for your organization and administrators have created a Curated Snapshot for servers (File Server or NAS).

Now, that you know what is Curated Snapshot, let us understand the workflow of how to use them.

Workflow_CS.png

Create a Curated Snapshot

You can create only one active Curated Snapshot per Backup Set per workload at a given point in time.

Procedure

  1. Log in to Druva Cloud Platform (DCP) Console
  2. On the DCP Console dashboard, under Cyber Resilience, click the Ransomware Recovery service.
  3. On the left pane, click Curated Snapshots > Create Curated Snapshots > For File Server and NAS.  The Resources page appears.
  4. Search for the servers for which you want to create Curated Snapshot. You can search for servers using either or a combination of the OrganizationsWorkload Type, and Workload Name.
  5. Select the servers for which you want to create the snapshots and click Next.
  6.  On the Snapshot Details page,  enter the Snapshot Parameters for the creation of the snapshot.
  7. Click Submit. A Malicious File Scan or restore scan job is executed for all the snapshots for the mentioned date range. After the scan is complete, the most recent cleanest versions of the files are encapsulated to generate and create a single Curated Snapshot.
  8. If an active Curated Snapshot already exists for a Backup Set for a workload, you will have the following options:
  • Create a new one and delete the existing one

        OR

  • Keep the existing snapshot

Select the option as per your organization's requirements and click Continue.

Confirmation_active CS_exists_Aug24.png

You can view the status of Curated Snapshot creation on the Jobs page.

Snapshot Details page

The following table details the Snapshot Parameters for creating a Curated Snapshot.

Field Description

Date Range

Define a date range from which you want the snapshots to be processed and scanned for creating a Curated Snapshot.

Start Date: Select a Start Date.

End Date: Automatically calculated. The Date displayed here can either be the current date or 180 days from the start date, whichever is the nearest. The maximum limit for the date range is 180 days.

For example, if today's date is Aug 5, 2021.  You select July 1, 2021, as the start date. In this case, 180 days is a futuristic date. Hence, the end date will be today's date/current date i.e. Aug 5, 2021, 23:59:59 PM.

Retain Snapshot for

The number of days until which the Curated Snapshot will be retained and can be restored.

By default, the retention period is 15 days. The maximum limit for retention is 30 days.

Indicators of Compromise

Define the indicators by which you want the snapshots should be scanned for malicious data.

By default, files within the snapshots are scanned for encryption checks, anti-virus, and pre-defined file hash matches.

Select the Exclude file extensions checkbox, and specify the file extensions to exclude those files from Curated Snapshot.

Know how the Curated Snapshot is created

Here's an example that explains how the Curated Snapshot is created based on the defined Date Range and Indicators of Compromise (Anti-Virus, File Hash match, file extensions exclusion, or encryption) encountered or detected.

Resource Name: WINS3RV3R-KA1W (File Server)

Resource Type: File Server

Snapshot -  Create date Version Files Action
Snapshot 1 - Aug 1, 2021 16 file 1, file 2, file 3 Files added
Snapshot 2 - Aug 1, 2021 17 file 1, file 2, file 3 No change
Snapshot 3 - Aug 2, 2021 18 file 1, file 2, file 3, file 4, file 5

Added:  file 4, file 5, and file 6

Modified: file 1

Snapshot 4 - Aug 2, 2021 19 file 1, file 3, file 4, file 5 Deleted: file 2.

For the creation of a Curated snapshot the maximum date range limit is 180 days. Assume that today's date is Aug 5, 2021.

  • if you select Jan 1, 2020 as the start date, the end date will be Jan 1, 2020, +180 days.
  • If you select July 1, 2021 as the start date, +180 days is a futuristic date. Therefore, the current date/today's date is considered as the end date. i.e Aug 5, 2021, 23:59:59.

In the case of the above example, if you select July 1 as the Start Date, the End Date will be Aug 5, 2021, 23:59:59. Once the date range is defined, the Malicious File Scan or Restore scan job is executed on Snapshot versions 16, 17, 18, and 19.

During the scan, file hash match is detected for file 1, and file extensions exclusion is detected for file 5 in version 18. The file 1 in version 18 is skipped from Curated Snapshot.

The scan is then performed on a previous version (version 16) that contains file 1. If the scan does not detect any Indicators of Compromise that indicate any malicious attacks on the file, then, file 1 from version 16 is considered for the creation of Curated Snapshot. Also, file 5 will not be included in the Curated Snapshot.

So, the final Curated Snapshot created will include:

  • Version 16: file 1, file 2,and file 3
  • Version 18: file 4 and file 6

Verify Curated Snapshot Job status

Whenever you submit a request for Create Curated Snapshot,  a scan job is initiated. You can monitor and manage all the scan jobs from the Jobs tab. The Last Updated at timestamp is displayed beside the page heading to help you understand when the details of the page were last updated. 

Only after the job is complete, the Curated Snapshot gets created. You can view a summary of the scan job from the Jobs page. 

You can cancel an ongoing job if you initiated the request by mistake or no longer need to create Curated Snapshot.

Click the Job ID to view the following job details:

Fields Description
Job Details section
Job ID The unique ID of the scan job.
Resource Name The name of the data source.
Resource Type The type of the data source. Example: File Server
Workload Name The name of the workload.
Created By The name of the administrator who initiated the job.
Start Time The time when the scan job was initiated.
End Time The time when the scan job finished. If the job ended prematurely due to cancelation, or due to failure, this field displays that timestamp.
Organization Name The name of the organization.
Snapshot Creation Status

The current status of the job. It can be any of the following:

  • Successful - The job completed successfully and you can view the details of the scanned files in the Curated Snapshot section.

  • Failed - The job failed due to various reasons.

  • Canceled - The job was canceled by the administrator.

  • Queued - The job is yet to be processed. 

  • Running - The scanning is in progress. 

Curated Snapshot section
Snapshot The name of the snapshot.
Size The size of the snapshot.
Date Range The start and end date selected for the creation of the snapshot.
Retained Till The date and timestamp when the snapshot will expire.
#Files Included The count of files included for snapshot creation.
Snapshot Availability

Status of the snapshot which can be any one of the following:

  • Active
  • Deleted

You can download the report to view the details of the scanned files.

Download Report

On the Jobs details page, click Download Report to download the report of the Curated Snapshot to view details of the malicious files within this snapshot. The report is downloaded in <Druva_CuratedSnapshot_JobID_<JobIDnumber>_<curatedsnapshotname>.csv.zip  format. For example, <Druva_CuratedSnapshot_JobID_45_Sep_16_2021_12_02>.csv.zip .

Expand the zip folder to view the CSV file. The CSV file provides the following details.

Field Description
File Name Name of the scanned file.
File Type Type of file. It can be either a file or folder.
Path Location of the file.
Backup Folder The folder from which the file is created.
Modified time

Date and timestamp when modifications were made to the file.  This is the administrator's timezone.

For example, Jun 23, 2020 15:04.

Is Skipped from Curated Snapshot

Displays "True" if the file was skipped for Curated Snapshot.

Displays "False" if the file was not skipped from Curated Snapshot.

Reason to skip from Curated Snapshot Details of why the file was skipped.
Snapshot Name

Name of the snapshot from which the file is used for the creation of Curated Snapshot.

For example, Tue Aug 31 12:23:43 2021.

Delete Snapshot

You cannot delete a  snapshot that is a part of active Curated Snapshot. 

You can delete the snapshots that are no longer required.

  1. On the Curated Snapshot dashboard, select the snapshot that you want to delete.
  2. Click Continue on the confirmation pop-up if you are sure about deleting the snapshot. Snapshot once deleted cannot be retrieved.

View and Restore data from Curated Snapshot

If you are reading this section, that means Curated Snapshot is created successfully and is listed in the Curated Snapshots > Snapshot tab. 

For File Server

Procedure

On the Curated Snapshots > Snapshot tab, click on the snapshot for the File Server for which you want to view and restore data. You will be redirected to the File Backup Sets > Backups page. 

The Curated Snapshot card is displayed and you can restore data from this snapshot. For more information, see File Servers.

The CS_icon.png icon is displayed beside the snapshots that are used for creating Curated Snapshot.

For NAS

Procedure

On the Curated Snapshots > Snapshot tab, click on the snapshot for the NAS device for which you want to view and restore data. You will be redirected to the Backup Sets > Backups page. 

The Curated Snapshot card is displayed and you can restore data from this snapshot. For more information, see NAS.

CS_NAS_Backupstab.png

The CS_icon.pngicon is displayed beside the snapshots that are used for creating Curated Snapshot

Note:  Restore from Curated Snapshot is supported only for  Hot and Warm snapshots.

By default, Curated Snapshot is the selected snapshot available for restoring server data if the Ransomware Recovery service is enabled for your organization and administrators have created a Curated Snapshot for servers (File Server or NAS).

You cannot delete a  snapshot that is a part of active Curated Snapshot.