Comprehensive data protection for all workloads
Dima P.
Product Manager
Posts: 14735
Liked: 1708 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. » 1 person likes this post

Anyway we appear to have moved on, finally. We are unsure at the moment the value of enabling the Inline scan and will review the use of it
I'd say if you use inline scan and index scan together the resulting information is more accurate and sensitive because inline scan cant tell you what's affected but at the same time can identify the data being encrypted with new totally unknown ransomware family which is not listed in the SuspiciousFiles.xml yet. While old known ransomware tools can be caught via index analytics.
This file was driving me crazy. I was sure I understood the purpose
Saw this issue couple of times myself, shared my feedback with support management.
Also how can YARA rules be used to scan Linux VM backups? The Scan option is only available for Windows VM backups
Correct, AV scan and YARA scan functionality is currently aimed at Windows machines. We plan to add ability to scan Linux machines in next versions.
victor.bylin@atea.se
Service Provider
Posts: 47
Liked: 2 times
Joined: Oct 26, 2017 11:22 am
Full Name: Victor
Contact:

Re: Malware detection, Ransomware Notice found

Post by victor.bylin@atea.se » 1 person likes this post

Hi,

I think this feature has been implemented wrong. I understand that you at Veeam want to push customers to the hole suite. But to create an alarm that says that you have a ransomware note then have no option to view more information without buying the hole suite. I think that is just wrong. If you want it to just be possible to check Ransomware notes in full suite. Then just present that alarm where the hole suite is licensed. But personally i don't see why the Ransomware notes path is not just logged where file extension(suspicious file extensions) alarm for example is logged.
Dima P.
Product Manager
Posts: 14735
Liked: 1708 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Hello Victor,

The reason behind this is not licensing. Inline detection does not work on the file system level, instead it tracks the suspicious patterns on a block level, while data is being transferred through a backup proxy. As such, we don't know which specific file is encrypted, contains ransomware note or .onion links.

So for this particular detection engine, currently the only way to find out the path of the impacted file is with an antivirus scan (the feature is available in all editions), with the FINDSTR utility, or with the YARA utility. Only automated YARA scans require the suite.

Thank you!
JaySt
Service Provider
Posts: 454
Liked: 86 times
Joined: Jun 09, 2015 7:08 pm
Full Name: JaySt
Contact:

Re: Malware detection, Ransomware Notice found

Post by JaySt » 1 person likes this post

boy was i disappointed today to learn a VUL license (having enterprise plus feature set) would not be enough to use the manually started yara scanning post-backup (the "scan backup" functionality on a VM that triggered a ransomware note malware detection event after inline scanning completed).
"Yara scan functionality is not available in your Veeam Data Platform edition."

when looking at the feature compare pdf at https://www.veeam.com/veeam_data_platfo ... son_ds.pdf, i can see some requirements for the advanced or premium suite being described, but hats off to anyone who was able to get that fact out of the document. by reading the doc, I can sort of conclude automated surebackup configuration would not let you use yara scanning and the "secure restore" feature -as part of the actual restore- would not let you use yara scanning. But i was not expecting the manually started scan would also require the advanced or premium suite. Bummer for all those customers that we got so far to upgrade their lower edition socket based licensing to Enterprise Plus features set VUL licensing. I understand Veeam needs to draw the line somewhere when mapping features to editions&suites, but imho this line is misplaced in this specific case.
Veeam Certified Engineer
JaySt
Service Provider
Posts: 454
Liked: 86 times
Joined: Jun 09, 2015 7:08 pm
Full Name: JaySt
Contact:

Re: Malware detection, Ransomware Notice found

Post by JaySt » 1 person likes this post

Additional view on this, as it kind of bothers me quite heavily:
Customer with a few 100 vms running VUL ent plus upgraded to 12.1.1. Wanted to enable inline scanning, but not index scanning due to efforts needed for the job reconfiguration regarding guest integration etc. So off we went. After some time, 10 or so vms got marked by malware detection with ransomware note remarks. Hard stop. How does Veeam expect admins to react to such events while given zero information about what and where , with all things “ransomware” setting off all kinds of thoughts and worries. Why would this alert be given without further means or anything,
So we had the suggestion to do some manual yara scanning for one of the vms, as it is better than the suggestion to do a FINDSTR across the vm (really?). And then again a hard stop on the license.
Inline scanning would probably be better implemented if it would only report on suspicious change activity only when not on advanced or premium suite.
Veeam Certified Engineer
Dima P.
Product Manager
Posts: 14735
Liked: 1708 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Hello JaySt,
hats off to anyone who was able to get that fact out of the document. by reading the doc, I can sort of conclude automated surebackup configuration would not let you use yara scanning and the "secure restore" feature -as part of the actual restore- would not let you use yara scanning. But i was not expecting the manually started scan would also require the advanced or premium suite.
Generally YARA scan is a part of SureBackup engine, so that's why the line 'YARA scan (*YARA Scan requires Advanced or Premium Edition)' was added to the SureBackup bullet. I agree that it should be more straight forward, will pass the feedback to our marketing team to avoid further confusion. Thank you for the feedback!
So we had the suggestion to do some manual yara scanning for one of the vms, as it is better than the suggestion to do a FINDSTR across the vm (really?). And then again a hard stop on the license.
Can you please elaborate why it's not possible to install a YARA engine manually to the machine and use the mentioned rule to search for the suspicious files with onion links or use the command line? I understand that this would be manual work, but it's totally free and does not require any licensing changes from the customer.
JaySt
Service Provider
Posts: 454
Liked: 86 times
Joined: Jun 09, 2015 7:08 pm
Full Name: JaySt
Contact:

Re: Malware detection, Ransomware Notice found

Post by JaySt » 1 person likes this post

yes i think there are multiple options to do manual steps regarding scanning. It's more that the most obvious way of doing it is right there from the Veeam console. all is in place already, just blocked by licensing. It's just that the blocking of the _manual_ yara scan by Veeam is up for discussion if you ask me. It's just does not make enough sense when looking at the way the software reports on malware events coming from inline scans.
Veeam Certified Engineer
kevlahau
Influencer
Posts: 13
Liked: 6 times
Joined: Apr 02, 2020 12:59 am
Full Name: Kevin Woolard
Contact:

Re: Malware detection, Ransomware Notice found

Post by kevlahau » 1 person likes this post

Lots of info in respect of windows servers but what about Linux systems.. what do I look for in respect to "Ransomware note" and "Encrypted Data'?
coolsport00
Veeam Legend
Posts: 124
Liked: 32 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 »

Dima P. wrote: Dec 11, 2023 5:06 pm Hello Daniel,

Thank you for the details, passed that to the Malware Detection team for a review. Regarding the malware note - indeed the exact location is currently not logged, we will note an improvement request. Thank you for your feedback!
Hi @Dima - I only run Inline Scanning myself...as I don't have Guest Indexing turned on in my Jobs (thus File system scan also not enabled). I'm also wanting 1. a dedicated log file for Inline Entropy scans, and if possible...way more details than the vague statements in the Details window. Read a couple of your comment responses on why this may not be possible...but if it can be, I'm a vote for YES! as well :) BTW..I'm working with support on all my Malware Detection questions, case#07128707 , in case you needed it.

@JaySt - I'm with you a little bit on the not being able to YARA scan ability. We're an SMB with Ent+, but only have Foundation, so not able to scan via YARA. Actually...for whatever reason, not able to scan for A/V either, but that's another issue (not lic) I think...

Another good thread! Thanks for all the info @Hannes @Dima @Gostev
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
coolsport00
Veeam Legend
Posts: 124
Liked: 32 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 »

Oh, btw...is there a way to scan, on Linux, for YARA or Onion links/files? I think what was posted earlier by @Dima is for Windows only?

Thanks!
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Dima P.
Product Manager
Posts: 14735
Liked: 1708 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Lots of info in respect of windows servers but what about Linux systems.. what do I look for in respect to "Ransomware note" and "Encrypted Data'?
Currently it's possibly only by installing the standalone YARA engine to a Linux machine.
I'm also wanting 1. a dedicated log file for Inline Entropy scans, and if possible...way more details than the vague statements in the Details window. Read a couple of your comment responses on why this may not be possible...but if it can be, I'm a vote for YES! as well :)
We are investigating the possibility, yes.
BTW..I'm working with support on all my Malware Detection questions, case#07128707 , in case you needed it.
Will look into this, thank you!
Oh, btw...is there a way to scan, on Linux, for YARA or Onion links/files? I think what was posted earlier by @Dima is for Windows only?
Correct for now it's a standalone manual scans only, but for sure we plan to add YARA scans for Linux to Veeam B&R in the upcoming releases.
dellock6
VeeaMVP
Posts: 6166
Liked: 1971 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: Malware detection, Ransomware Notice found

Post by dellock6 »

Shane,
if you mean to scan from Veeam, then it's a no. But actually, if it's a manual scan you can install Yara as a local tool inside the machine:
https://yara.readthedocs.io/en/stable/g ... arted.html

Or, not elegant and integrated like using VBR, you can even use sshfs and then you can think about scanning the machines remotely without installing yara on each node, if you have many machines.
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
coolsport00
Veeam Legend
Posts: 124
Liked: 32 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 » 1 person likes this post

Hi Luca -
Yeah...I think there's a tool created on the Community Hub I may try out which can be used for Linux. Thanks for the share!
Best.
Shane
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
sergiosergio
Lurker
Posts: 2
Liked: never
Joined: Mar 27, 2024 1:03 pm
Full Name: Sergio
Contact:

[MERGED] Potential malware activity detected: Encrypted data

Post by sergiosergio »

Hi there!

Last night I got a notification of "Potential malware activity detected". This is the history event:
Image

I don't know how or where can I check what is the suspicious data, as there is no info about it nor a log file (Programdata\Veeam\Backup\Malware_Detection_Logs\suspicious_files_24-03-26.log has no info about this event)

Thank you in advance.
HannesK
Product Manager
Posts: 14881
Liked: 3099 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by HannesK »

Hello,
and welcome to the forums.

The answer to your question is covered above. The encryption was detected at block level and the software does not know which block is part of which file in this situation.

Best regards,
Hannes
hensowi
Lurker
Posts: 1
Liked: 1 time
Joined: Apr 18, 2024 5:58 pm
Full Name: Bill Henson
Contact:

Re: Malware detection, Ransomware Notice found

Post by hensowi » 1 person likes this post

Hi everyone.

I too have a VM that is getting flagged with the malware detection, Ransomware notice found.

In digging into the system it seems there are valid files on the system that have .onion included. In this specific case it is due to the Brave browser Ad block filter files.

How do I keep the inline scan engine from flagging this VM after every backup with the malware detection, ransomware notice found alert? Is my only solution to exclude the entire VM from the malware scan?

Thanks,
Bill

Case # 07216523
pankaj
Veeam Software
Posts: 71
Liked: 5 times
Joined: Jan 09, 2014 6:27 pm
Full Name: pankaj jaiswal
Contact:

Re: Malware detection, Ransomware Notice found

Post by pankaj »

hi ..Also how can YARA rules be used to scan Linux VM backups?

Please share some steps with example..
Dima P.
Product Manager
Posts: 14735
Liked: 1708 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Hello Pankaj,

Currently Veeam B&R offers a way to perform scan with Yara rules only for Windows machines but we're working to expand this to Linux as well. Thank you!
nvdwansem
Enthusiast
Posts: 47
Liked: 10 times
Joined: Oct 22, 2018 8:33 am
Contact:

Re: Malware detection, Ransomware Notice found

Post by nvdwansem »

Hi,

Since I've upgraded to 12.1.2.172 I've been receiving a lot of Potential malware activity detected messages with Detection Source being Onion Link.

Case: 07276987

I've tried multiple things:

1. scan the whole machine with Defender
2. scan the whole machine from VEEAM GUI selecting Scan restore points with an anti virus engine
2. run the findstr command mentioned in this thread
3. enabled guest file system indexing and malware detection
4. scanned partial and everything with enabled guest file system indexing and malware detection

I don't have the license to use the YARA functionality.

I'm getting no results however if I mark the machine as cleaned the detection comes back the next backup cycle.

I'm a bit lost since something is being detected but have no clue what since the message doesn't state where it found something.

Any ideas/suggestions?
Gostev
Chief Product Officer
Posts: 31835
Liked: 7326 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Malware detection, Ransomware Notice found

Post by Gostev » 1 person likes this post

Hi, based on a similar report last week it seems newly added support for detecting onion links in files under 900 bytes in size picks up onion links in cookies left by certain web sites. Let our support confirm this is the case for you as well and in this case perhaps we can create a hotfix that ignores cookie locations.
Dima P.
Product Manager
Posts: 14735
Liked: 1708 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Hello nvdwansem,

Thank you for the support case! Is it possible to install YARA locally to the source host and run this onion link search rule?
Gostev
Chief Product Officer
Posts: 31835
Liked: 7326 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Malware detection, Ransomware Notice found

Post by Gostev » 2 people like this post

After wasting some time to figure this out, you do it with the following command:

Code: Select all

yara64 -r onion.yar c:
(where C: is the drive letter to scan)
Gostev
Chief Product Officer
Posts: 31835
Liked: 7326 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Malware detection, Ransomware Notice found

Post by Gostev »

So apparently I too have some onion links in the Google Chrome cache.
nvdwansem
Enthusiast
Posts: 47
Liked: 10 times
Joined: Oct 22, 2018 8:33 am
Contact:

Re: Malware detection, Ransomware Notice found

Post by nvdwansem »

Apart from getting the error cannot open files (yes I'm running it as an admin) I'm not getting any hits.

For testing purposes I've ran the same command on my private pc and indeed also getting hits from Chrome and Brave.

Does this Detection Source being Onion Link always refers to a onion link or can it be something else as well?
Gostev
Chief Product Officer
Posts: 31835
Liked: 7326 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Malware detection, Ransomware Notice found

Post by Gostev »

Personally I haven't seen any hits that are not onion links. And you are right, seems like only private PCs have a significant chance to have onion links embedded in Chrome cache due to extensive browsing (so it should not be the case for most production servers). Also, there's a chance the presence of Adblock Plus is the actual culprit - at least this seems to be one commonality.
nvdwansem
Enthusiast
Posts: 47
Liked: 10 times
Joined: Oct 22, 2018 8:33 am
Contact:

Re: Malware detection, Ransomware Notice found

Post by nvdwansem »

I do indeed have an ad blocking program installed on my private pc but our servers don't have internet access, so wasn't expecting any hits there to be honest.
Dima P.
Product Manager
Posts: 14735
Liked: 1708 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

nvdwansem,

Possibly the indications of the onion links were removed from the cache or those files are locked by some processes? Is it possible to scan the same way the actual backup file / restore point that raised the event?

You can publish disks from the restore point in the question any host, upload the YARA tool / YARA rule and perform another test?
oikjn
Novice
Posts: 4
Liked: 1 time
Joined: Oct 03, 2017 1:52 pm
Full Name: Andrew
Contact:

Re: Malware detection, Ransomware Notice found

Post by oikjn » 1 person likes this post

Add me to the list of users who are grumpy with the inline scanning results of 12.1.

I got blasted with many false positives on .onion links with VMs. this thread was pretty helpful in getting me through manually doing some local yara scans which appear show some results, but only false positives that I can find. Of Couse, since the system is online, I couldn't scan all files to be sure. I'm assuming these are false positives given the systems involved, but I've got some comments.

(1) I understand the inline scanning doesn't allow for the most granular level of feedback, but the manual yara scan can give more information, so why can't you at least give some lines before and after the flagged information at the very least? That would be 1000x more helpful than nothing at all. If you can't do it on the backup scan, at least try and implement something like that into the surebackup scan.
(2)Please implement some level of exclusion granularity between scan for everything and exclude from everything. So, I got a false positive on this onion link issue that I want to exclude... my only option now is to exclude that VM indefinitely from all scanning :roll: it would be nice to still monitor that VM for other future warning signs like encrypted files or ransomware notes on that VM even if I exclude it from this specific alert.
Gostev
Chief Product Officer
Posts: 31835
Liked: 7326 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Malware detection, Ransomware Notice found

Post by Gostev » 1 person likes this post

(1) is coming. Inline scan operating on disk image level makes it so much more difficult than YARA scan that works on file system level and thus of course knows each and every file it processes, but still this is doable. For (2) we need at a minimum an ability to exclude Google Chrome cache, which should open an opportunity to specify custom exclusions.

@Dima P. please ask devs to deliver this as a hotfix for 12.1.2 so that it is already proven and solid when included in 12.2
SnakeSK
Service Provider
Posts: 93
Liked: 26 times
Joined: Feb 09, 2019 5:06 pm
Contact:

Re: Malware detection, Ransomware Notice found

Post by SnakeSK » 1 person likes this post

Gostev wrote: May 28, 2024 2:40 pm Personally I haven't seen any hits that are not onion links. And you are right, seems like only private PCs have a significant chance to have onion links embedded in Chrome cache due to extensive browsing (so it should not be the case for most production servers). Also, there's a chance the presence of Adblock Plus is the actual culprit - at least this seems to be one commonality.
Easylist downloads those onion files and caches them. Also some sites download it to cookies, facebook for example

Please add major browsers to the list. Not just chrome, we use edge mostly in the enterprise
Post Reply

Who is online

Users browsing this forum: BackItUp2020 and 96 guests