Malware detection, Ransomware Notice found

[Dima P.]

Anyway we appear to have moved on, finally. We are unsure at the moment the value of enabling the Inline scan and will review the use of it

I'd say if you use inline scan and index scan together the resulting information is more accurate and sensitive because inline scan cant tell you what's affected but at the same time can identify the data being encrypted with new totally unknown ransomware family which is not listed in the SuspiciousFiles.xml yet. While old known ransomware tools can be caught via index analytics.

This file was driving me crazy. I was sure I understood the purpose

Saw this issue couple of times myself, shared my feedback with support management.

Also how can YARA rules be used to scan Linux VM backups? The Scan option is only available for Windows VM backups

Correct, AV scan and YARA scan functionality is currently aimed at Windows machines. We plan to add ability to scan Linux machines in next versions.

[victor.bylin@atea.se]

Hi,

I think this feature has been implemented wrong. I understand that you at Veeam want to push customers to the hole suite. But to create an alarm that says that you have a ransomware note then have no option to view more information without buying the hole suite. I think that is just wrong. If you want it to just be possible to check Ransomware notes in full suite. Then just present that alarm where the hole suite is licensed. But personally i don't see why the Ransomware notes path is not just logged where file extension(suspicious file extensions) alarm for example is logged.

[Dima P.]

Hello Victor,

The reason behind this is not licensing. Inline detection does not work on the file system level, instead it tracks the suspicious patterns on a block level, while data is being transferred through a backup proxy. As such, we don't know which specific file is encrypted, contains ransomware note or .onion links.

So for this particular detection engine, currently the only way to find out the path of the impacted file is with an antivirus scan (the feature is available in all editions), with the FINDSTR utility, or with the YARA utility. Only automated YARA scans require the suite.

Thank you!

[JaySt]

boy was i disappointed today to learn a VUL license (having enterprise plus feature set) would not be enough to use the manually started yara scanning post-backup (the "scan backup" functionality on a VM that triggered a ransomware note malware detection event after inline scanning completed).
"Yara scan functionality is not available in your Veeam Data Platform edition."

when looking at the feature compare pdf at https://www.veeam.com/veeam_data_platfo ... son_ds.pdf, i can see some requirements for the advanced or premium suite being described, but hats off to anyone who was able to get that fact out of the document. by reading the doc, I can sort of conclude automated surebackup configuration would not let you use yara scanning and the "secure restore" feature -as part of the actual restore- would not let you use yara scanning. But i was not expecting the manually started scan would also require the advanced or premium suite. Bummer for all those customers that we got so far to upgrade their lower edition socket based licensing to Enterprise Plus features set VUL licensing. I understand Veeam needs to draw the line somewhere when mapping features to editions&suites, but imho this line is misplaced in this specific case.

[JaySt]

Additional view on this, as it kind of bothers me quite heavily:
Customer with a few 100 vms running VUL ent plus upgraded to 12.1.1. Wanted to enable inline scanning, but not index scanning due to efforts needed for the job reconfiguration regarding guest integration etc. So off we went. After some time, 10 or so vms got marked by malware detection with ransomware note remarks. Hard stop. How does Veeam expect admins to react to such events while given zero information about what and where , with all things “ransomware” setting off all kinds of thoughts and worries. Why would this alert be given without further means or anything,
So we had the suggestion to do some manual yara scanning for one of the vms, as it is better than the suggestion to do a FINDSTR across the vm (really?). And then again a hard stop on the license.
Inline scanning would probably be better implemented if it would only report on suspicious change activity only when not on advanced or premium suite.

[Dima P.]

Hello JaySt,

hats off to anyone who was able to get that fact out of the document. by reading the doc, I can sort of conclude automated surebackup configuration would not let you use yara scanning and the "secure restore" feature -as part of the actual restore- would not let you use yara scanning. But i was not expecting the manually started scan would also require the advanced or premium suite.

Generally YARA scan is a part of SureBackup engine, so that's why the line 'YARA scan (*YARA Scan requires Advanced or Premium Edition)' was added to the SureBackup bullet. I agree that it should be more straight forward, will pass the feedback to our marketing team to avoid further confusion. Thank you for the feedback!

So we had the suggestion to do some manual yara scanning for one of the vms, as it is better than the suggestion to do a FINDSTR across the vm (really?). And then again a hard stop on the license.

Can you please elaborate why it's not possible to install a YARA engine manually to the machine and use the mentioned rule to search for the suspicious files with onion links or use the command line? I understand that this would be manual work, but it's totally free and does not require any licensing changes from the customer.

[JaySt]

yes i think there are multiple options to do manual steps regarding scanning. It's more that the most obvious way of doing it is right there from the Veeam console. all is in place already, just blocked by licensing. It's just that the blocking of the _manual_ yara scan by Veeam is up for discussion if you ask me. It's just does not make enough sense when looking at the way the software reports on malware events coming from inline scans.

[kevlahau]

Lots of info in respect of windows servers but what about Linux systems.. what do I look for in respect to "Ransomware note" and "Encrypted Data'?

[coolsport00]

Hello Daniel,

Thank you for the details, passed that to the Malware Detection team for a review. Regarding the malware note - indeed the exact location is currently not logged, we will note an improvement request. Thank you for your feedback!

Hi @Dima - I only run Inline Scanning myself...as I don't have Guest Indexing turned on in my Jobs (thus File system scan also not enabled). I'm also wanting 1. a dedicated log file for Inline Entropy scans, and if possible...way more details than the vague statements in the Details window. Read a couple of your comment responses on why this may not be possible...but if it can be, I'm a vote for YES! as well BTW..I'm working with support on all my Malware Detection questions, case#07128707 , in case you needed it.

@JaySt - I'm with you a little bit on the not being able to YARA scan ability. We're an SMB with Ent+, but only have Foundation, so not able to scan via YARA. Actually...for whatever reason, not able to scan for A/V either, but that's another issue (not lic) I think...

Another good thread! Thanks for all the info @Hannes @Dima @Gostev

[coolsport00]

Oh, btw...is there a way to scan, on Linux, for YARA or Onion links/files? I think what was posted earlier by @Dima is for Windows only?

Thanks!

[Dima P.]

Lots of info in respect of windows servers but what about Linux systems.. what do I look for in respect to "Ransomware note" and "Encrypted Data'?

Currently it's possibly only by installing the standalone YARA engine to a Linux machine.

I'm also wanting 1. a dedicated log file for Inline Entropy scans, and if possible...way more details than the vague statements in the Details window. Read a couple of your comment responses on why this may not be possible...but if it can be, I'm a vote for YES! as well

We are investigating the possibility, yes.

BTW..I'm working with support on all my Malware Detection questions, case#07128707 , in case you needed it.

Will look into this, thank you!

Oh, btw...is there a way to scan, on Linux, for YARA or Onion links/files? I think what was posted earlier by @Dima is for Windows only?

Correct for now it's a standalone manual scans only, but for sure we plan to add YARA scans for Linux to Veeam B&R in the upcoming releases.

[dellock6]

Shane,
if you mean to scan from Veeam, then it's a no. But actually, if it's a manual scan you can install Yara as a local tool inside the machine:
https://yara.readthedocs.io/en/stable/g ... arted.html

Or, not elegant and integrated like using VBR, you can even use sshfs and then you can think about scanning the machines remotely without installing yara on each node, if you have many machines.

[coolsport00]

Hi Luca -
Yeah...I think there's a tool created on the Community Hub I may try out which can be used for Linux. Thanks for the share!
Best.
Shane

[sergiosergio]

Hi there!

Last night I got a notification of "Potential malware activity detected". This is the history event:


I don't know how or where can I check what is the suspicious data, as there is no info about it nor a log file (Programdata\Veeam\Backup\Malware_Detection_Logs\suspicious_files_24-03-26.log has no info about this event)

Thank you in advance.

[HannesK]

Hello,
and welcome to the forums.

The answer to your question is covered above. The encryption was detected at block level and the software does not know which block is part of which file in this situation.

Best regards,
Hannes

[hensowi]

Hi everyone.

I too have a VM that is getting flagged with the malware detection, Ransomware notice found.

In digging into the system it seems there are valid files on the system that have .onion included. In this specific case it is due to the Brave browser Ad block filter files.

How do I keep the inline scan engine from flagging this VM after every backup with the malware detection, ransomware notice found alert? Is my only solution to exclude the entire VM from the malware scan?

Thanks,
Bill

Case # 07216523

[pankaj]

hi ..Also how can YARA rules be used to scan Linux VM backups?

Please share some steps with example..

[Dima P.]

Hello Pankaj,

Currently Veeam B&R offers a way to perform scan with Yara rules only for Windows machines but we're working to expand this to Linux as well. Thank you!

[nvdwansem]

Hi,

Since I've upgraded to 12.1.2.172 I've been receiving a lot of Potential malware activity detected messages with Detection Source being Onion Link.

Case: 07276987

I've tried multiple things:

1. scan the whole machine with Defender
2. scan the whole machine from VEEAM GUI selecting Scan restore points with an anti virus engine
2. run the findstr command mentioned in this thread
3. enabled guest file system indexing and malware detection
4. scanned partial and everything with enabled guest file system indexing and malware detection

I don't have the license to use the YARA functionality.

I'm getting no results however if I mark the machine as cleaned the detection comes back the next backup cycle.

I'm a bit lost since something is being detected but have no clue what since the message doesn't state where it found something.

Any ideas/suggestions?

[Gostev]

Hi, based on a similar report last week it seems newly added support for detecting onion links in files under 900 bytes in size picks up onion links in cookies left by certain web sites. Let our support confirm this is the case for you as well and in this case perhaps we can create a hotfix that ignores cookie locations.

[Dima P.]

Hello nvdwansem,

Thank you for the support case! Is it possible to install YARA locally to the source host and run this onion link search rule?

[Gostev]

After wasting some time to figure this out, you do it with the following command:

Code: Select all

yara64 -r onion.yar c:

(where C: is the drive letter to scan)

[Gostev]

So apparently I too have some onion links in the Google Chrome cache.

[nvdwansem]

Apart from getting the error cannot open files (yes I'm running it as an admin) I'm not getting any hits.

For testing purposes I've ran the same command on my private pc and indeed also getting hits from Chrome and Brave.

Does this Detection Source being Onion Link always refers to a onion link or can it be something else as well?

[Gostev]

Personally I haven't seen any hits that are not onion links. And you are right, seems like only private PCs have a significant chance to have onion links embedded in Chrome cache due to extensive browsing (so it should not be the case for most production servers). Also, there's a chance the presence of Adblock Plus is the actual culprit - at least this seems to be one commonality.

[nvdwansem]

I do indeed have an ad blocking program installed on my private pc but our servers don't have internet access, so wasn't expecting any hits there to be honest.

[Dima P.]

nvdwansem,

Possibly the indications of the onion links were removed from the cache or those files are locked by some processes? Is it possible to scan the same way the actual backup file / restore point that raised the event?

You can publish disks from the restore point in the question any host, upload the YARA tool / YARA rule and perform another test?

[oikjn]

Add me to the list of users who are grumpy with the inline scanning results of 12.1.

I got blasted with many false positives on .onion links with VMs. this thread was pretty helpful in getting me through manually doing some local yara scans which appear show some results, but only false positives that I can find. Of Couse, since the system is online, I couldn't scan all files to be sure. I'm assuming these are false positives given the systems involved, but I've got some comments.

(1) I understand the inline scanning doesn't allow for the most granular level of feedback, but the manual yara scan can give more information, so why can't you at least give some lines before and after the flagged information at the very least? That would be 1000x more helpful than nothing at all. If you can't do it on the backup scan, at least try and implement something like that into the surebackup scan.
(2)Please implement some level of exclusion granularity between scan for everything and exclude from everything. So, I got a false positive on this onion link issue that I want to exclude... my only option now is to exclude that VM indefinitely from all scanning it would be nice to still monitor that VM for other future warning signs like encrypted files or ransomware notes on that VM even if I exclude it from this specific alert.

[Gostev]

(1) is coming. Inline scan operating on disk image level makes it so much more difficult than YARA scan that works on file system level and thus of course knows each and every file it processes, but still this is doable. For (2) we need at a minimum an ability to exclude Google Chrome cache, which should open an opportunity to specify custom exclusions.

@Dima P. please ask devs to deliver this as a hotfix for 12.1.2 so that it is already proven and solid when included in 12.2

[SnakeSK]

Personally I haven't seen any hits that are not onion links. And you are right, seems like only private PCs have a significant chance to have onion links embedded in Chrome cache due to extensive browsing (so it should not be the case for most production servers). Also, there's a chance the presence of Adblock Plus is the actual culprit - at least this seems to be one commonality.

Easylist downloads those onion files and caches them. Also some sites download it to cookies, facebook for example

Please add major browsers to the list. Not just chrome, we use edge mostly in the enterprise