same situation here, no more false positive reports
Thanks for the fix
Code: Select all
ule OnionLinks
{
meta:
description = "Onion link"
strings:
$onion_linkv2 = /\b([a-z2-7]{16}\.onion)\b/i
$onion_linkv3 = /\b([a-z2-7]{56}\.onion)\b/i
condition:
any of ($onion_linkv2,$onion_linkv3)
}
Heck yeah! Thanks @Dima! Please pass along our appreciation to your Devs. I haven't had an 'encrypted data' event in a while...not sure I can run this script on past systems? But, anxious to see how this works nonetheless.Dima P. wrote: ↑Jul 03, 2024 8:34 am Hello guys,
For those who wanted to investigate the 'Encrypted Data' malware event and get the path of the questionable files we've prepared a tool and scripts that allows you to get all the needed information (Encrypted block and offsets from the original source disk from Veeam B&R database) and match those with file system from the backup file in the question during mount operation. While mount is performed we can gather the information about such files and paths and collect all that in a dedicated csv file.
One note to keep in mind: this tool / scrip works only for the Encrypted Data malware events created with the latest Veeam B&R patch 12.1.2.
Please take a look and let us know how it works for your envirioment How to Investigate 'Encrypted Data Event' from Malware Detection. Thank you!
@Stabz - was the Yara scan from within Veeam, or a manually ran scan directly on the VM?Stabz wrote: ↑Jul 03, 2024 12:14 pm Hello
I m playing with the inline malware detection.
On a test server I created a file with only an onion link in it, my link "rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs41t4pdrqqd.onion"
At the end of the backup job I got un event Malware detection, detection source : Onion link
But when I used the YaraRule, my file is not detected... Any idea?
Downloaded this.Dima P. wrote: ↑Jul 03, 2024 8:34 am Hello guys,
For those who wanted to investigate the 'Encrypted Data' malware event and get the path of the questionable files we've prepared a tool and scripts that allows you to get all the needed information (Encrypted block and offsets from the original source disk from Veeam B&R database) and match those with file system from the backup file in the question during mount operation. While mount is performed we can gather the information about such files and paths and collect all that in a dedicated csv file.
One note to keep in mind: this tool / scrip works only for the Encrypted Data malware events created with the latest Veeam B&R patch 12.1.2.
Please take a look and let us know how it works for your envirioment How to Investigate 'Encrypted Data Event' from Malware Detection. Thank you!
Users browsing this forum: Google [Bot], Semrush [Bot], veremin, Yossi.Ashl and 53 guests