Veeam Threat Hunter False-Positive in OST File

[cgsm]

Hello,

I have a SureBackup job running Veeam Threat Hunter on a number of my VMs. One VM is a user's desktop and their Outlook .ost file is constantly (each time the job is run) detected as having an infection. I have scanned the VM using MS Defender, MSERT, scanned the OST file via VirusTotal, and performed other scans and found no such infection. I have also had the user go though their mailbox and delete nearly everything outside of very recent emails/etc. Threat Hunter continues to find an infection. It looks like a false-positive by Threat Hunter.

Second part to this is: I can mark the restore point as clean, and I can click the "Exclude this workload..." checkbox, but the infection continues to be found over and over. The exclude does not seem to function.

Case #07720977.

[david.domask]

Hi cgsm,

Thank you for sharing the case number and for the details. Looks like the case just got opened, so please allow Support time to review the situation with the unexpected flag.

For your second part, to confirm you're setting the exclusion as shown here, correct?

Please see the note on that page:

Note

Malware exclusions are applied only to guest indexing data scan and inline scan and do not affect scan using Veeam Threat Hunter, third-party antivirus software, or YARA.

So Threat Hunter scans from Scan Backup or Surebackup jobs will scan any machine it is instructed to. If you're using SureBackup, consider excluding this machine while Support reviews the situation.

[cgsm]

Hi David,

The exclusion I am talking about is when I receive a malware detected notice after SureBackup in Inventory > Malware Detection. I right click the VM, click mark as clean, and click exclude. I am not doing the exclude as you show.

Per support, I had to set a registry key to exclude the false-positive: https://www.veeam.com/kb4688. I do not understand why this was the fix, but the false-positive has not reoccurred.