Hi guys!
We have SOBR configured with a capacity extent in Azure blob. The storage account reached about 15TB of usage summing up around 25mil files - mostly block files uploaded by Veeam B&R server from the on-prem extent.
Over the span of a few months we've been randomly alerted by Microsoft Defender for Cloud which appears to match various known malware hashes against blk files. In summary, the alerts look like this:
------------------
A malicious blob was uploaded to your storage account 'nameofstaccount'. The detected malware type is 'DOS/Satria'. This security alert was generated by the Malware Scanning feature in Defender for Storage. Potential causes may include an intentional upload of malware by a threat actor, or an unintentional upload of a malicious file by a legitimate user.
Directory: https://nameofstaccount.blob.core.windo ... 8ced2009e3
File: 1921.fd389935f6496f48bb7cafeb605b33bd.00000000000000000000000000000000.blk
-----------------------------
We are suspecting these to be false flags due to the sheer amount of items involved in the container, but we just want to be sure we're not missing anything here and that this is indeed common behavior in such a scenario. Can anyone share any wisdom on this?
We're just seeking to understanding if this is common at all.
Thanks in advance!
-
dionita
- Novice
- Posts: 5
- Liked: never
- Joined: May 20, 2019 11:19 am
- Full Name: Daniel Ionita
- Contact:
-
Mildur
- Product Manager
- Posts: 10277
- Liked: 2746 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: MS Defender for Cloud flags up malware hashes on blk files
Hello Daniel
We store unique blocks of offloaded backups as blk files in object storage. Without Veeam Backup & Replication, the content of such block makes no sense when opened to read. A single restore point is assembled together from these blk files.
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
I assume, it's a false positive alarm. But if you want to be sure, open a support case and let them check the files.
Best,
Fabian
We store unique blocks of offloaded backups as blk files in object storage. Without Veeam Backup & Replication, the content of such block makes no sense when opened to read. A single restore point is assembled together from these blk files.
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
I assume, it's a false positive alarm. But if you want to be sure, open a support case and let them check the files.
Best,
Fabian
Product Management Analyst @ Veeam Software
-
dionita
- Novice
- Posts: 5
- Liked: never
- Joined: May 20, 2019 11:19 am
- Full Name: Daniel Ionita
- Contact:
Re: MS Defender for Cloud flags up malware hashes on blk files
Hi Fabian! Thanks for confirming that.
We reviewed that documentation link before (actually the v11 one as we're still on that version for now). We've submitted a sample to Microsoft but there's quite a long turnover on that process :/
We'll approach Veeam as well with a case.
Thanks again,
Daniel
We reviewed that documentation link before (actually the v11 one as we're still on that version for now). We've submitted a sample to Microsoft but there's quite a long turnover on that process :/
We'll approach Veeam as well with a case.
Thanks again,
Daniel
Who is online
Users browsing this forum: No registered users and 27 guests