Administration Guides

Planning New application Workloads Best Practice



When adding new applications that will mount cluster storage or new work flows, it is a good idea to monitor the IO of these new workloads using Monitored path, user or IP to allow learning mode to monitor the behavior of this new workload.  This allows learning mode (Release 2.5.7 or later) to monitor this work load and customize settings for this workload.   

When to use this process? 

If you are currently in enforcement mode with user lockout mode enabled, then you can follow this process when adding a new application or workload to your environment.


  1. Release 2.5.7 or greater

Best Practice 

  1. Transform or Processing chain Workflow Best Practise  
    1. Examples of Workflows that fall into this category software Compiling, animating videos, watermarking images or video, video rendering, ML or AI output.  These workflows use input data and one or more servers to process or transform data into an output.   These types of workflows typicall use a server farm and create very high IO rates that can generate 10's of thousnds audit events per second.   Additional VM resources would normally be required to process all the audit IO data in real time.
    2. Best Practise:  Apply ignore path to output paths used by similar workflows or applications that have an output path where data can be re-generated if needed.
  2. Set up Monitoring
    1. This will monitor , detect, raise alerts and create snapshots to protect the workload but it will not lockout the application.  Guide here.
      1. If your application uses a service account to access the storage with an AD user, configure a monitor only setting under the settings menu of the Ransomware Defender icon.  Enter the user domain\username and save the configuration.
      2. If the application uses NFS, then add a host ip entry on the monitor only settings and save the configuration.
  3. Enable Learning mode
    1. This mode requires monitor mode enabled and then learning mode.  See the guide here.  
  4. Wait several days with the workload running or until no warnings appear in the active events window of Ransomware Defender. Review the Flag as False positive tab and locate the service account or IP host from above steps.
    1. If no entry is found then the workload behavior is not going to be locked out.  You can chose to leave the monitor only setting for this user or ip host OR you can remove the monitor only setting and disable learning mode and monitor mode to return to enforcement mode.
    2. If there is an entry for this user or ip host, then monitor for another day to verify the multiplier value stays the same.  This means that the settings are correct to avoid any detections and lockouts for this workload.

© Superna Inc