Veeam B&R Malware detection, file location

[tcathey]

Feature Request: Add file locations to all potential malware detections in the VBR Malware module.

Details:
---------
This stems from investigation on potential Malware based on VBR suspicious detections. Related to "Veeam Support - Case # 07714555 - Managing potential malware detections".

Some Malware detections have file locations and some do not. Those that did not have a file location, still noted that they found specific files, both potential malware and encryption. In both cases, it would be beneficial to have the file location visible in the VBR UI. In their current state they don't provide significant value except to provide notification. At that point it could be searching the entire machine's file structure for the potential issue myself.

I used Veeam's malware detection powershell scripts to investigate, but it would be MUCH more efficient for the detection to include the location of the issue it detected in the VBR UI. It seems some detections do this, but not all. Response time is everything, even coming out of a detection on backup.


Malware Detections I've experienced:
---------------------------------------------
- "Suspicious files can be found on the backup server..." related to known ransomware - This had file locations and was easy to provide a response. In my case a legacy application used the same file types, so no issue.
- "Potential malware activity detected" - This one identified an Onion link on a linux machine, but did not list the file location. - This was a non-issue as well.
- "Potential malware activity detected" - This one did not list any file locations when it identified potential encryption. - This was a non-issue as well.

[Mildur]

Hi tcathey

Thank you for your feedback. I'll share it with the team.

Some Malware detections have file locations and some do not.

For "Encrypted Data Events," we can’t display a path because the backup job only identifies which blocks contain encrypted data, not the exact file path.
We do have a tool you can run after the backup job to detect which folder path is affected, but running this during the backup would increase job duration.

In both cases, it would be beneficial to have the file location visible in the VBR UI.

If, for example, something suspicious is detected in 100,000 files, displaying all of these in the backup console wouldn’t be very practical. While I agree there’s room to optimize how some Malware Events are shown, I don’t think adding thousands of entries to a malware event in the current UI would be effective. But we can think about better solutions to retrieve the entire log file which contains a list of all the files and folders.

Best,
Fabian

[tcathey]

I used the tool you mentioned to pull the information, it was useful. I hear you about the amount of data that you may pull if you run the tool behind the scenes and overloading the UI, that wouldn't be practical either. I like the idea of populating the UI with a link to the log file. That seems like a win-win for everyone.