How to Investigate 'Encrypted Data Event' from Malware Detection

[OMW72]

Hi Veeam-Team,
wer are using the KB4632 for investigation Encrypted Data Event.
Now following questions are raised up:
What does the percentage means in the created CVS file?
Is there a list for the different mailware detection types (Encypted Data,Onioub link) available? And is for the different types also an KB available as for the type Encrypted Date (KB 4632) ?
Thanks for your help.

regards,
Oliver

[Mildur]

Hi Oliver

"Percentage" is explained in the KB:
The final column of the CSV report displays the percentage of encryption detected in the first 1MB of the file. As most ransomware encrypts only a portion of each file, the encryption detection tool only checks the first 1MB of the file to maximize investigation performance.

Is there a list for the different mailware detection types (Encypted Data,Onioub link) available?

We provide a list of available malware detection methods and the types of malware we can detect in our helpcenter.

And is for the different types also an KB available as for the type Encrypted Date (KB 4632) ?

No, different types are listed in other places. Suspicious files are logged on the backup server in a separate folder:
C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\
Other malware activities are logged in the Malware event details in the backup console.

KB4632 for encrypted data is required because Veeam Backup & Replication doesn’t provide a session log itself. The backup server knows from the backup session which blocks on the disk are encrypted.
To find the encrypted files, we need the tool in KB4632 to scan the entire backup file with the information about encrypted blocks the backup server has.

Best,
Fabian

[OMW72]

Hi Fabian,
please allow me to ask one more question how does it work for an onion link event.
Is there alog file as well?

Regards,
Oliver

[Mildur]

Hi Oliver,

When we detect an onion link, we raise a Malware "Suspicious" alert.
You can open the alert, and it will include a path to a log file on the backup server. This log file will provide you with the exact path of the onion link inside the protected machine.

Code: Select all

[10.06.2025 11:21:06.071]    <48> Warning (3)    FK-Win2025-01:441389bc-8091-4780-bdb4-db92e7e0bf9e:c:\_adminfiles\**************************.onion

Best,
Fabian

[OMW72]

Hi Fabian,
unfortunately the alert does not contain the path to the log. The details part is empty respectively the pathi is missing.
If I take a look into C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\ Logs the log is not up to date. Is there any onther directory whre i can take a look?

Regards,
Oliver

[Mildur]

The log path should be in the alarm (v12.1.1 and later).
If you can't see the log file, no Onion links were detected or there might be an issue. In that case, I recommend to open a case with customer support.
Or did you change default log location for Veeam Backup & Replication?

Best,
Fabian

[OMW72]

Hi Fabien,
the versioin is 12.3.1.1139. The only info in the details part is : Potential malware activity detected
I´m not aware that anyone changed the log path, where can i do that?
regards,
Oliver