Amazon FSx for NetApp ONTAP (FSxN) delivers high-performance file services on AWS, but ransomware can infiltrate primary volumes, replicas, and backups long before anyone notices. Elastio brings early behavioral detection and continuous clean-recovery assurance to FSxN, so you always know when an attack starts and which snapshot or backup is safe to restore.
Elastio scans FSxN snapshots directly on the filer, as well as their copies in AWS Backup, for ransomware behavior, insider-driven encryption, malware, and corruption. This builds a verified catalog of last-known-clean restore points and feeds that clean-point intelligence into your SIEM and incident-response workflows.
The result: FSxN customers get continuous ransomware resilience and provable recovery across their entire protection chain, primary filer, SnapMirror replica, and AWS Backup.
Three-Tiered Protection for Amazon FSx for NetApp ONTAP
How Elastio Complements NetApp ARP
NetApp’s Autonomous Ransomware Protection (ARP) monitors production environments for suspicious file activity and triggers snapshots when potential threats are detected.
Elastio operates beyond the production path, performing in-depth ransomware and insider-driven encryption detection, as well as malware scans, on backups and SnapMirror-replicated snapshots. If ARP flags a potential threat, Elastio helps ensure your recovery point is clean, verifiable, and safe to restore.
Prerequisites and Considerations
- Elastio supports scanning FSx for ONTAP data served over SMB or NFS by mounting the volume through NFS. To enable this, the FSxN volume must be configured for dual-protocol access (NFS and SMB) so the NFS mount point is available for Elastio’s analysis.
- Elastio mounts snapshots using NFS and always in readonly mode.
- An Elastio Cloud Connecter must be in the same account, the same region and the same VPC/Subnet where the FSx for ONTAP filer is deployed.
- You can restrict Elastio’s access to FSx for ONTAP by applying an export policy that limits the Elastio Cloud Connecter to the snapshot directory in read-only mode. The export policy should allow NFS access only from the Elastio scan nodes’ IPs, enforce read-only permissions, and restrict the accessible path to the
.snapshotdirectory. This ensures Elastio can scan primary or replicated data without modifying production files or altering the filer’s state. - Elastio can scan either the primary filer or the replicated copy. It always analyzes existing snapshots, so ONTAP must be configured to create them.
- Once Elastio scans the full snapshot, all subsequent scans focus on the latest snapshot and only inspect the incremental changes between snapshots.
Protect FSxN
In the Elastio Console:
Navigate to Settings in the left navigation.
Select Scan Policies.
Step 1: Create a New Policy
Click Create.
Enter a Policy Name (e.g., Scan FSxN).
Set your Schedule Frequency:
Daily
Weekly
Monthly
Or any custom interval your operations require.
Choose a Protection Window Start time.
Confirm the Time Zone.
Step 2: Select Assets to Protect
After scheduling:
On Step 2, choose Asset Types.
Select FSx
Select Volumes or Filesystems
Pick the specific FSxN asset that you want Elastio to scan from the list.
Step 3: Configure Recovery Assurance Settings
On this page, choose the types of detection Elastio will use when scanning your FSxN snapshots. These settings define how Elastio identifies ransomware behavior, insider-driven encryption, malware, and other integrity threats.
1. Zero-Day Ransomware Detection
Enable this to detect never-before-seen ransomware using Elastio’s behavioral ML models. These models automatically update with the latest research from our security lab.
2. Encryption Detection
Turn this on to identify newly encrypted, partially encrypted, or suspiciously modified files. Elastio analyzes file changes between scans and flags behavioral encryption patterns that signal early-stage ransomware or insider misuse.
3. Malware Signature Scan
Enable this to detect known ransomware, Trojans, spyware, adware, crypto-miners, and other malware. Signature updates occur frequently—often hourly—ensuring the latest protection.
Optional: Time-Based Filtering
If you want Elastio to scan only files or objects created after a specific date and time:
Check Scan objects uploaded after a specific time.
Select the date and time you want Elastio to begin analyzing.
This can be useful during migrations, bulk restores, or cutover events.
Step 4: Review and Save
Confirm your schedule, activation settings, and selected FSxN assets.
Click Save Policy.
Your FSxN filer is now protected.
Elastio will continuously scan new snapshots and incremental changes, update their clean/impacted status, and push clean-point intelligence to your SIEM and IR workflows.
Elastio will automatically mount each snapshot in read-only mode and inspect it for ransomware behavior, corruption, and polymorphic and fileless and all known malware.