AI-Driven Real-Time Malware and Ransomware Detection for NetApp

Network-attached storage devices like NetApp contain volumes of data which are vital to business operations. With broad access available to so many users, protecting NetApp storage from malware is critical to operational stability and integrity. Organizations worldwide face increasingly sophisticated threat actors. AI-powered threat detection can level the playing field, protect business data, and stop attacks before they begin. With Threat Detection for NetApp, SentinelOne brings proven AI-powered malware protection to NetApp storage.

The Challenge

Legacy AV solutions have long dominated storage security for NetApp. However, security innovation has not kept pace with other sectors like EDR and cloud security, even as threat actors have rapidly evolved. Modern threats from hackers for hire or state-sponsored threat actors easily evade signature-based legacy antivirus. Yes, signatures are useful for identifying known or commodity malware, but they are incapable of detecting novel malware.

Beyond ease of evasion, signatures can create administrative nightmares. Storage security admins can become bogged down in a relentless spiral, making sure their blocklists are always updated with the latest signatures.

Another challenging factor is broad access to the data stored on NetApp arrays. Businesses rely upon ready access to this data to function. Considering the wide access, and the ease with which malicious files can evade signature-based detection, one can readily appreciate how securing the NetApp storage is vital to business continuity.

In addition to business continuity and brand reputation, an additional concern is regulatory compliance. While exact compliance details vary by framework, organizations in various industries are often required to regularly scan their network attached storage for malware. Although regulatory frameworks generally do not specify how this is accomplished, more forward thinking frameworks such as GDPR do stipulate that organizations follow the principle of “data protection by design and by default,” and that data protection measures take into account the technological “state of the art.”

Our Solution: Threat Detection for NetApp

To help organizations better provide for continuous security of their data on NetApp storage arrays, and to reduce the risk of business disruption due to advanced malware which evades signature-based alternatives, SentinelOne introduced Threat Detection for NetApp (TD4NA). Generally available in the Singularity Cloud Data Security product line, TD4NA delivers AI-powered cloud data security that protects NetApp arrays from malware. High-performance, low-latency inline file scanning delivers verdicts in milliseconds.

Threat Detection for NetApp

When considering state-of-the-art solutions for securing your NetApp arrays, here are some factors which set SentinelOne and TD4NA apart from alternatives.

  1. High-Speed Performance with Low Latency. NetApp invests heavily in performance optimization, so that their storage solutions offer high-speed data access with low latency. So too does SentinelOne. TD4NA leverages SentinelOne’s proprietary Static AI Engine that is optimized for performance and security efficacy, having been trained on nearly 1 billion malware samples over the last decade.

    TD4NA delivers verdicts in milliseconds, allowing user access to their data without performance bottlenecks and without compromising security. When a file is judged to be malicious, it is automatically encrypted and quarantined, to stop the potential for spread before it even has a chance to begin.

  2. Fully Compatible with ONTAP. NetApp uses a proprietary OS called “ONTAP” for their storage arrays. For this reason, ONTAP is not compatible with traditional endpoint agents. SentinelOne’s Threat Detection for NetApp, however, is fully compatible with the ONTAP protocol.
  3. Proven and Trusted Innovation. SentinelOne brings our proven malware detection technology to a data storage security market that has been dominated for years by legacy antivirus. Unlike legacy AV solutions that rely on signatures and frequent updates, SentinelOne’s solution offers uncompromising security against novel and unknown malware without the worry of constant signature updates.

    Alternatives which rely upon signatures are easily circumvented. A threat actor can simply pad a malware sample, recompile, and the malware has a new signature not found in any blocklist. In stark contrast, SentinelOne’s proprietary AI deeply analyzes a file’s characteristics for indicators of malicious intent – no signature required. All files are scanned locally. No sensitive data ever leaves your network. For some organizations, this is an important regulatory compliance consideration.

  4. Unified Platform: Alongside performance and innovation, the Singularity Platform provides a familiar feel for existing SentinelOne customers that simplifies onboarding and administration. For example, TD4NA respects existing user blocklists or file exclusions, removing the need to rebuild them. Additionally, it provides valuable threat metadata for greater insights and analysis, enhancing security posture.All security data, whether from cloud security, networked storage, user endpoints, and even 3rd party security solutions, are stored in the high-performance Singularity Data Lake. This single security data repository simplifies data access, streamlines investigations, and accelerates incident response.

How It Works

The SentinelOne TD4NA agent is installed on a “Vscan server” which, according to the NetApp ONTAP architecture, is dedicated to malware scanning. System requirements for the Vscan server are documented in the SentinelOne knowledge base. It is possible to configure more than one TD4NA agent on a single Vscan server, depending upon customer requirements for redundancy or IOPS performance.

When a user submits a file put/access request, the NetApp array automatically submits a scan request via ONTAP protocol to the Vscan server. The TD4NA solution then works as follows:

  1. Scan the file.
  2. Report the result, both to the SentinelOne management console and to the NetApp array.

Upon scan completion, the NetApp array grants or denies the user request, depending upon the scan verdict. If the file verdict is not malware, the user is granted access.

If the file verdict is judged by the AI to be malware, the user request is denied and the file is automatically encrypted and quarantined by the solution. The quarantine directory is specified beforehand by the security admin. At their discretion, security admins may access the malicious file via 1-click file fetch for further analysis and sandboxing.

All file scans are local and inline. Local file scanning occurs on the Vscan server. Inline file scanning holds the file until scanning is complete. The solution is optimized for performance, so file scans complete within milliseconds for a low latency user experience.


With SentinelOne’s AI-powered Threat Detection for NetApp, malware is identified and mitigated in real time, thereby minimizing dwell time and downstream data risk. All files are scanned locally so that no sensitive data leaves your network, and TD4NA is managed from the same Singularity Platform that SentinelOne customers know well.

To learn more about Threat Detection for NetApp, visit our Cloud Data Security webpage. There you will find datasheets, customer case studies, and more. And whenever you are ready for a personalized demo, you may connect with one of our cloud security experts.

Singularity™ Cloud Data Security AI-Powered Malware Scanning
Elevate your defenses with adaptive, scalable, and AI-powered SentinelOne solutions for Amazon S3 and NetApp.