-
- Enthusiast
- Posts: 75
- Liked: 32 times
- Joined: Jan 14, 2022 9:16 am
- Full Name: Daniel Artzen
- Location: Germany
- Contact:
Malware detection, Ransomware Notice found
Hello together,
after we enabled the malware detection on our most important backups, we got several suspicious activities on some servers reported. Most of them we could identify as false positives, since these were simply files that use the same extensions as some malwares do. I defined exceptions for these files.
But on one of our servers it says "ransomware note". Now, the server is not encrypted, a virus scan did not show any infection and I don't see any kind of ransomware note on it. Sadly the VBR console does not show more details than this info, and the server is not shown in the VBR log file for the suspicious files, where I found all the others.
Can anyone tell me where I can possibly find more information on my system?
Thank you for your help
Best regards
Daniel
after we enabled the malware detection on our most important backups, we got several suspicious activities on some servers reported. Most of them we could identify as false positives, since these were simply files that use the same extensions as some malwares do. I defined exceptions for these files.
But on one of our servers it says "ransomware note". Now, the server is not encrypted, a virus scan did not show any infection and I don't see any kind of ransomware note on it. Sadly the VBR console does not show more details than this info, and the server is not shown in the VBR log file for the suspicious files, where I found all the others.
Can anyone tell me where I can possibly find more information on my system?
Thank you for your help
Best regards
Daniel
-
- Product Manager
- Posts: 14881
- Liked: 3099 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Malware detection, Ransomware Notice found
Hello,
"ransomware note" found means that there is a text file somewhere on the machine that matches a ransomware note. It does not mean that there is any malware or encrypted data. The "ransomware notes" are found by the "inline scan" and not by the "in-guest index scan" (which was for the file name extension).
My understanding is, that C:\ProgramData\Veeam\Backup\Malware_Detection_Logs don't show anything. Did support already check the logs on how to find the file (a support case number would help to get an answer faster)?
Best regards,
Hannes
"ransomware note" found means that there is a text file somewhere on the machine that matches a ransomware note. It does not mean that there is any malware or encrypted data. The "ransomware notes" are found by the "inline scan" and not by the "in-guest index scan" (which was for the file name extension).
My understanding is, that C:\ProgramData\Veeam\Backup\Malware_Detection_Logs don't show anything. Did support already check the logs on how to find the file (a support case number would help to get an answer faster)?
Best regards,
Hannes
-
- Enthusiast
- Posts: 75
- Liked: 32 times
- Joined: Jan 14, 2022 9:16 am
- Full Name: Daniel Artzen
- Location: Germany
- Contact:
Re: Malware detection, Ransomware Notice found
Hello Hannes,
under C:\ProgramData\Veeam\Backup\Malware_Detection_Logs I can only see the "suspicious files" logs for each day it found something and in these this server is not reported, which makes sense the way you explained it. I have not opened a case yet, I thought that there should be a log or better yet an information in the VBR console where the scan found this. Shouldn't this log location be documented somewhere? I don't think it's feasible to open a case just to locate this information.
Best regards
Daniel
under C:\ProgramData\Veeam\Backup\Malware_Detection_Logs I can only see the "suspicious files" logs for each day it found something and in these this server is not reported, which makes sense the way you explained it. I have not opened a case yet, I thought that there should be a log or better yet an information in the VBR console where the scan found this. Shouldn't this log location be documented somewhere? I don't think it's feasible to open a case just to locate this information.
Best regards
Daniel
-
- Product Manager
- Posts: 14735
- Liked: 1708 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Hello Daniel,
Can you please share the extensions that generated false-positive reports?after we enabled the malware detection on our most important backups, we got several suspicious activities on some servers reported. Most of them we could identify as false positives, since these were simply files that use the same extensions as some malwares do. I defined exceptions for these files.
Can you please share the details from the Malware detection event? Thank you in advance!But on one of our servers it says "ransomware note". Now, the server is not encrypted, a virus scan did not show any infection and I don't see any kind of ransomware note on it. Sadly the VBR console does not show more details than this info, and the server is not shown in the VBR log file for the suspicious files, where I found all the others. Can anyone tell me where I can possibly find more information on my system?
-
- Enthusiast
- Posts: 75
- Liked: 32 times
- Joined: Jan 14, 2022 9:16 am
- Full Name: Daniel Artzen
- Location: Germany
- Contact:
Re: Malware detection, Ransomware Notice found
Hello Dima,
1. the extensions that were reported in our systems were: .cnc, .mal, .fun, .rose, .bip, .mvp, .delta, .fox, .ev and .bi. These files were found on our fileserver, on our CRM and on our software distribution system as either files that are generated by our applications or are part of the installations.
2. The details are a bit sparse to be honest. It just says "Detection source: Ransomware notice" and under Details it just says: "Potential malware activity detected".
Best regards
Daniel
1. the extensions that were reported in our systems were: .cnc, .mal, .fun, .rose, .bip, .mvp, .delta, .fox, .ev and .bi. These files were found on our fileserver, on our CRM and on our software distribution system as either files that are generated by our applications or are part of the installations.
2. The details are a bit sparse to be honest. It just says "Detection source: Ransomware notice" and under Details it just says: "Potential malware activity detected".
Best regards
Daniel
-
- Product Manager
- Posts: 14735
- Liked: 1708 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Hello Daniel,
Thank you for the details, passed that to the Malware Detection team for a review. Regarding the malware note - indeed the exact location is currently not logged, we will note an improvement request. Thank you for your feedback!
Thank you for the details, passed that to the Malware Detection team for a review. Regarding the malware note - indeed the exact location is currently not logged, we will note an improvement request. Thank you for your feedback!
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Dec 18, 2023 9:52 pm
- Full Name: Rogelio Morin
- Contact:
Re: Malware detection, Ransomware Notice found
Hello everyone, I got exactly the same alert. Has anyone got any update? I'd like to identify the file that is triggering the alert to see if it's a false positive.
Thanks!
Thanks!
-
- Product Manager
- Posts: 14735
- Liked: 1708 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Hello folks,
We plan to fine tune the reporting in this feature and provide a direct link to the logs where all the files in the questions are listed. Meanwhile you can review the logs for malware detection based on index scan in this location: C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\
You can potentially use Scan backup with YARA rule aimed at searching onion links, this could help you to find the location of files which contains onion links (which is the case with ransomware notes).
Thank you!
We plan to fine tune the reporting in this feature and provide a direct link to the logs where all the files in the questions are listed. Meanwhile you can review the logs for malware detection based on index scan in this location: C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\
You can potentially use Scan backup with YARA rule aimed at searching onion links, this could help you to find the location of files which contains onion links (which is the case with ransomware notes).
Thank you!
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Dec 19, 2023 8:27 pm
- Contact:
Re: Malware detection, Ransomware Notice found
Hi Dima
I have the same issue. I don't see the C:\ProgramData\Veeam\Backup\Malware_Detection_Logs folder on either the VM or the Veeam server. Is there anywhere else it could be logging?
I have the same issue. I don't see the C:\ProgramData\Veeam\Backup\Malware_Detection_Logs folder on either the VM or the Veeam server. Is there anywhere else it could be logging?
-
- Product Manager
- Posts: 14735
- Liked: 1708 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Hello amtiskaw,
Can you please share the text of the malware detection event? Screenshot will also work. Thank you!
Can you please share the text of the malware detection event? Screenshot will also work. Thank you!
-
- Lurker
- Posts: 1
- Liked: 1 time
- Joined: Dec 20, 2023 12:30 am
- Full Name: Anthony Meluso
- Contact:
Re: Malware detection, Ransomware Notice found
So, the use of a YARA scan to search the "Ransom Note" is locked behind a certain edition of Veeam? I get an error message when trying to scan a backup, mentioning it's not available in your Veeam Data Platform edition.
You need to include the file paths in these types of inline scans. I mean if it can produce an alert for the "Ransome Note", log its location.
You need to include the file paths in these types of inline scans. I mean if it can produce an alert for the "Ransome Note", log its location.
-
- Product Manager
- Posts: 14735
- Liked: 1708 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Hello Anthony,
Yes, in order to use Yara engine you should have a Veeam Data Platform - Advanced edition of the license.the use of a YARA scan to search the "Ransom Note" is locked behind a certain edition of Veeam? I get an error message when trying to scan a backup, mentioning it's not available in your Veeam Data Platform edition.
Right now it's not possible to detect the actual location of the ransomware note because the analysis happens on the block level while the data is in transit, we are researching the possibility to provide this information in the upcoming versions. Thank you!You need to include the file paths in these types of inline scans. I mean if it can produce an alert for the "Ransome Note", log its location.
-
- Influencer
- Posts: 22
- Liked: 5 times
- Joined: Jan 09, 2018 8:12 am
- Full Name: Stefan
- Contact:
Re: Malware detection, Ransomware Notice found
@Dima P.
According to Veeam's manual, Enterprise Plus edition should also be supporting full malware detection thus using YARA scans: https://helpcenter.veeam.com/docs/backu ... ml?ver=120
We have Enterprise Plus (VUL) and receive the same error message: "it's not available in your Veeam Data Platform edition."
Opened a case for this: 07056988
Perhaps there is a difference in Socketor VUL licenses (not mentioned in that specific guide part). Which makes it confusing.
https://www.veeam.com/veeam_data_platfo ... son_ds.pdf
According to Veeam's manual, Enterprise Plus edition should also be supporting full malware detection thus using YARA scans: https://helpcenter.veeam.com/docs/backu ... ml?ver=120
We have Enterprise Plus (VUL) and receive the same error message: "it's not available in your Veeam Data Platform edition."
Opened a case for this: 07056988
Perhaps there is a difference in Socketor VUL licenses (not mentioned in that specific guide part). Which makes it confusing.
https://www.veeam.com/veeam_data_platfo ... son_ds.pdf
-
- Product Manager
- Posts: 14735
- Liked: 1708 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Hello Stefan,
That is inaccurate statement. Inline scan, index scan, Incident API, SureBackup Lite / SureBackup and Secure Restore with AV scan are available in ENT+ while Yara scan requires a higher licensing tier. I've asked technical writes team to correct this statement to avoid further confusion. Thank you!Enterprise Plus edition should also be supporting full malware detection thus using YARA scans: https://helpcenter.veeam.com/docs/backu ... ml?ver=120
-
- Chief Product Officer
- Posts: 31836
- Liked: 7328 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Malware detection, Ransomware Notice found
As an Analytics feature, YARA scan is only available in Veeam Data Platform Advanced Edition.
Or Veeam Essentials, which is basically Advanced edition limited to 50 licenses max.
Here's the official edition comparison (short version on a page and full version in the PDF).
Or Veeam Essentials, which is basically Advanced edition limited to 50 licenses max.
Here's the official edition comparison (short version on a page and full version in the PDF).
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Dec 19, 2023 8:27 pm
- Contact:
-
- Chief Product Officer
- Posts: 31836
- Liked: 7328 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Malware detection, Ransomware Notice found
This event must be from the inline scan. "Ransomware note" detection source means that a known ransomware note text or an onion link was detected in one of the processed disk blocks. Please see here for more info > Inline Scan
@Dima P. could you ask Dev/QA what method or command is best used to search the content of all files on a production machine for ransomware text, as well as what specific text should be searched for? For example, I assume that the Search functionality of Windows Explorer should do the job?
@Dima P. could you ask Dev/QA what method or command is best used to search the content of all files on a production machine for ransomware text, as well as what specific text should be searched for? For example, I assume that the Search functionality of Windows Explorer should do the job?
-
- Product Manager
- Posts: 14735
- Liked: 1708 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
This event is fired whenever we detect either Clop-alike ransomware text or whenever we detect an onion link in the text files. Big chances this event was raised by the onion link, so I suggest looking for the text .onion
How to search for such text:
1. You may use Yara scan to look for the onion links pattern.
2. You can use a built-in tool like FINDSTR to search for a text within a specific file type. The usage is quite simple:
- Run cmd as admin
- CD to the desired volume
- Start FINDSTR to look across all *.txt files for onion text, and thanks to /S switch that includes all the subfolders.
How to search for such text:
1. You may use Yara scan to look for the onion links pattern.
2. You can use a built-in tool like FINDSTR to search for a text within a specific file type. The usage is quite simple:
- Run cmd as admin
- CD to the desired volume
Code: Select all
cd C:\
Code: Select all
FINDSTR /S /C:".onion" *.txt
-
- Enthusiast
- Posts: 82
- Liked: 21 times
- Joined: Jan 17, 2022 10:31 am
- Full Name: Da Li
- Contact:
Re: Malware detection, Ransomware Notice found
I also cannot find the Malware_Detection_Logs.
Is it on the backup server, proxy or other and when will it be created. Have several Malware and Encrypted data but cannot find any logs of it.
-
- Product Manager
- Posts: 14735
- Liked: 1708 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Hello Da Li,
Logs with file locations are available only for events based on guest file indexing analysis. It's not possible to detect what exact files are affected because inline detection is performed on a block level while disk image data is in transit.
If you got a malware detection event caused by ransomware note, onion links or encrypted data you can mount the backup in the question and investigate it's content (i.e. scan with AV, YARA rule or even with some basic cmd utilities). Thank you!
Logs with file locations are available only for events based on guest file indexing analysis. It's not possible to detect what exact files are affected because inline detection is performed on a block level while disk image data is in transit.
If you got a malware detection event caused by ransomware note, onion links or encrypted data you can mount the backup in the question and investigate it's content (i.e. scan with AV, YARA rule or even with some basic cmd utilities). Thank you!
-
- Veteran
- Posts: 283
- Liked: 25 times
- Joined: May 22, 2015 7:16 am
- Full Name: Paul
- Contact:
Re: Malware detection, Ransomware Notice found
Does anyone have a YARA rule created to look for this?You may use Yara scan to look for the onion links pattern
Thanks
-
- Chief Product Officer
- Posts: 31836
- Liked: 7328 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Malware detection, Ransomware Notice found
Just Google "yara rule for onion links", first result.
-
- Product Manager
- Posts: 14735
- Liked: 1708 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Hello Paul,
Here's a sample YARA rule to look for onion links. You can use it with SureBackup or with ScanBackup to test the restore point that raised 'Ransomware note' event.
1. Create a yar file format, for example: OnionLinks.yar
2. Save the code below inside the file
3. Place it to C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules location at your B&R server
4. The rule should be visible in the YARA scan UI and you can use it within Secure Restore, SureBackup and ScanBackup
Here's a sample YARA rule to look for onion links. You can use it with SureBackup or with ScanBackup to test the restore point that raised 'Ransomware note' event.
1. Create a yar file format, for example: OnionLinks.yar
2. Save the code below inside the file
3. Place it to C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules location at your B&R server
4. The rule should be visible in the YARA scan UI and you can use it within Secure Restore, SureBackup and ScanBackup
Code: Select all
rule OnionLinks
{
meta:
description = "Onion link"
strings:
$onion_link = /\b([a-z2-7]{56}.onion)\b/i
condition:
$onion_link
}
-
- Enthusiast
- Posts: 82
- Liked: 21 times
- Joined: Jan 17, 2022 10:31 am
- Full Name: Da Li
- Contact:
Re: Malware detection, Ransomware Notice found
OK, set the file indexing on and now can find the C:\ProgramData\Veeam\Backup\Malware_Detection_Logs on the VBR with in it the file locations of the suspicous files. Great.
With that information I go to the server and do a powershell "get-filehash <filename>" which give the hash of the file. And search this hash on https://www.virustotal.com/gui/home/search to see if it is really or false positive.
But if encrypted files found this is not in the logs.
Tried to find the encrypted file on the effected VM with the command "cipher /u /n" but nothing found.
Other options how to find the encrypted files which Veeam alerts?
With that information I go to the server and do a powershell "get-filehash <filename>" which give the hash of the file. And search this hash on https://www.virustotal.com/gui/home/search to see if it is really or false positive.
But if encrypted files found this is not in the logs.
Tried to find the encrypted file on the effected VM with the command "cipher /u /n" but nothing found.
Other options how to find the encrypted files which Veeam alerts?
-
- Veteran
- Posts: 283
- Liked: 25 times
- Joined: May 22, 2015 7:16 am
- Full Name: Paul
- Contact:
Re: Malware detection, Ransomware Notice found
For a couple of jobs with indexing turned on I cannot find C:\ProgramData\Veeam\Backup\Malware_Detection_Logs on the VBR server
We changed our log file location years ago and in that location is Malware_Detection_Logs but it is empty
We changed our log file location years ago and in that location is Malware_Detection_Logs but it is empty
-
- Product Manager
- Posts: 14735
- Liked: 1708 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Da Li, will discuss with RnD team if there is a good way to find the encrypted file locations with external tools stay tuned.
Paul, please raise a support case and share your case ID, meanwhile I'll ask QA team to take a look at this issue. Thank you in advance!
Paul, please raise a support case and share your case ID, meanwhile I'll ask QA team to take a look at this issue. Thank you in advance!
-
- Veteran
- Posts: 283
- Liked: 25 times
- Joined: May 22, 2015 7:16 am
- Full Name: Paul
- Contact:
Re: Malware detection, Ransomware Notice found
Also I am completely confused and maybe if anyone from Veeam wants to step in that would be great
I raised a support call to investigate this Ransomware note finding and the job also has indexing enabled. When Malware is detected n the same report it states
24/01/2024 22:18:08 Succeeded [24/01/2024 22:06:00] Guest file system index has been analyzed: No suspicious file system activity or known malware files detected
Why is this happening? I have been told multiple times that SuspiciousFiles.xml contains the reason for the backup being marked as having Malware. To me this file is just a list of files that Veeam checks for. I can find no mention of any server name that has been reported as having Malware
The Veeam documentation regarding this file states
Download the latest SuspiciousFiles.xml using a machine with internet access.
Transfer the file to the Veeam Backup Server.
Replace the existing SuspiciousFiles.xml found in:
C:\Program Files\Veeam\Backup and Replication\Backup\
Restart the Veeam Data Analyzer Service.
So to me this file has no relevance at all to this investigation or am I just very confused?
Support call is 07104719
I raised a support call to investigate this Ransomware note finding and the job also has indexing enabled. When Malware is detected n the same report it states
24/01/2024 22:18:08 Succeeded [24/01/2024 22:06:00] Guest file system index has been analyzed: No suspicious file system activity or known malware files detected
Why is this happening? I have been told multiple times that SuspiciousFiles.xml contains the reason for the backup being marked as having Malware. To me this file is just a list of files that Veeam checks for. I can find no mention of any server name that has been reported as having Malware
The Veeam documentation regarding this file states
Download the latest SuspiciousFiles.xml using a machine with internet access.
Transfer the file to the Veeam Backup Server.
Replace the existing SuspiciousFiles.xml found in:
C:\Program Files\Veeam\Backup and Replication\Backup\
Restart the Veeam Data Analyzer Service.
So to me this file has no relevance at all to this investigation or am I just very confused?
Support call is 07104719
-
- Product Manager
- Posts: 14735
- Liked: 1708 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Paul,
Thank you for the case ID!
Inline scan analyzes binary data in flight while it's being transferred via backup proxy, so it's not possible to say the exact location of the onion link, ransomware note or encrypted data easily and post detection analysis of the file system is required. You can scan the machine with AV or search for onion links with the workarounds provided in this thread too (YARA or command line utilities can help).
Inline scan and guest file indexing analysis are independent checks and raise their own malware events. The dedicated chapter is here, please take a look for more details.
Thank you for the case ID!
'Ransomware note' event is created by inline scan engine while guest file indexing analysis is different engine. With guest file indexing analysis you can pinpoint the exact location of the suspicious file because we analyze the file index where we have the list of file names and extensions.I raised a support call to investigate this Ransomware note finding and the job also has indexing enabled. When Malware is detected n the same report it states
Inline scan analyzes binary data in flight while it's being transferred via backup proxy, so it's not possible to say the exact location of the onion link, ransomware note or encrypted data easily and post detection analysis of the file system is required. You can scan the machine with AV or search for onion links with the workarounds provided in this thread too (YARA or command line utilities can help).
Inline scan and guest file indexing analysis are independent checks and raise their own malware events. The dedicated chapter is here, please take a look for more details.
SuspiciousFiles.xml contains the list of files and extensions that we look for during the guest file indexing analysis it has no effect on Inline scan engine. Thank you!I have been told multiple times that SuspiciousFiles.xml contains the reason for the backup being marked as having Malware. To me this file is just a list of files that Veeam checks for. I can find no mention of any server name that has been reported as having Malware
-
- Veteran
- Posts: 283
- Liked: 25 times
- Joined: May 22, 2015 7:16 am
- Full Name: Paul
- Contact:
Re: Malware detection, Ransomware Notice found
And this is exactly my point and what I was trying to get the engineer to understandSuspiciousFiles.xml contains the list of files and extensions that we look for during the guest file indexing analysis it has no effect on Inline scan engine. Thank you!
My response to the engineer's response at the bottom
To my untrained eye this file just contains a list of what looks like files to look for and is updated by Veeam. I can find no mention of any servers where Malware has been reported
This file was driving me crazy. I was sure I understood the purposeYes, the file will contain information regarding what files were identified as malware and where they are.
Managing List of Suspicious Files and Extensions
To keep the list of suspicious files and extensions up-to-date, select the Update malware definitions automatically check box. If the option is enabled, Veeam Backup & Replication will communicate with the Veeam Update Server (vbr.butler.veeam.com) daily and download the latest version of the SuspiciousFiles.xml file. The Veeam Data Analyzer service checks the file for updates once a day at 12:00 AM.
Anyway we appear to have moved on, finally. We are unsure at the moment the value of enabling the Inline scan and will review the use of it
Thanks
-
- Veteran
- Posts: 283
- Liked: 25 times
- Joined: May 22, 2015 7:16 am
- Full Name: Paul
- Contact:
Re: Malware detection, Ransomware Notice found
Also how can YARA rules be used to scan Linux VM backups? The Scan option is only available for Windows VM backups
Who is online
Users browsing this forum: Google [Bot], Gostev and 76 guests