How to Investigate 'Encrypted Data Event' from Malware Detection

[OMW72]

Hi Veeam-Team,
wer are using the KB4632 for investigation Encrypted Data Event.
Now following questions are raised up:
What does the percentage means in the created CVS file?
Is there a list for the different mailware detection types (Encypted Data,Onioub link) available? And is for the different types also an KB available as for the type Encrypted Date (KB 4632) ?
Thanks for your help.

regards,
Oliver

[Mildur]

Hi Oliver

"Percentage" is explained in the KB:
The final column of the CSV report displays the percentage of encryption detected in the first 1MB of the file. As most ransomware encrypts only a portion of each file, the encryption detection tool only checks the first 1MB of the file to maximize investigation performance.

Is there a list for the different mailware detection types (Encypted Data,Onioub link) available?

We provide a list of available malware detection methods and the types of malware we can detect in our helpcenter.

And is for the different types also an KB available as for the type Encrypted Date (KB 4632) ?

No, different types are listed in other places. Suspicious files are logged on the backup server in a separate folder:
C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\
Other malware activities are logged in the Malware event details in the backup console.

KB4632 for encrypted data is required because Veeam Backup & Replication doesn’t provide a session log itself. The backup server knows from the backup session which blocks on the disk are encrypted.
To find the encrypted files, we need the tool in KB4632 to scan the entire backup file with the information about encrypted blocks the backup server has.

Best,
Fabian