Feature request: Improve default malware detection exclusions

Post by **iDeNt_5** » Jul 18, 2025 4:19 pm this post

Case reference 07751303

Hi all,

As requested by the Veeam Support Team, I created a new feature request aimed to improve the Malware Detection default exclusions of the VBR.

As explained in this support case, the VBR malware detection marks as infected the following component of the VBO v8 (latest version) server:
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Veeam.Backup.Interaction.Explorer

Since this is a default embedded component of the VBO, it should not required to manually create a specific exclusion on the Malware Detection component of the VBR.

Thanks.

Jul 21, 2025 10:04 am

Hi iDeNt_5,

Thanks for sharing the case number. I was able to reproduce, and it's not really about the component, it's about the .Explorer part of the name which is being parsed as an extension, which is a real extension used by the Explorer ransomware, so a case of unfortunate naming + match.

Agree though that it should be handled better. Will discuss internally best way to handle, but for now please continue using the exclusion.

Jul 28, 2025 7:56 am

Quick update, we will be resolving this through an update for the Malware Definitions XML, and the false-positive should stop appearing soon. Thanks again for the report!

Jul 28, 2025 8:16 am

Hi David,

Thank you so much for the update, really appreciated!

Post by **admcomputing** » Oct 16, 2025 6:47 am this post

We are now seeing the below malware detections on a number of our internal Veeam servers which appears to have started since we upgrade to VSCP v9

Potential malware activity detected:
*.loki

c:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\netcore,Serilog.Sinks.Grafana.Loki

Assuming its related, how long will it take for a global exclusion to be pushed out?

Post by **david.domask** » Oct 16, 2025 8:21 am this post

Ah, looks like it's an unfortunate coincidence in this case, as that is from a legitimate .NET package and it's matching on the .Loki element.

The changes to exclusions usually are pushed out in < 24 hours if we make changes to the XML

Will discuss internally on handling this one.

Post by **david.domask** » Oct 29, 2025 8:59 am this post

As a follow up, an updated XML was pushed out to accommodate this false-positive. Thanks for reporting!

R&D Forums

Feature request: Improve default malware detection exclusions

Re: Feature request: Improve default malware detection exclusions

Re: Feature request: Improve default malware detection exclusions

Re: Feature request: Improve default malware detection exclusions

Re: Feature request: Improve default malware detection exclusions

Re: Feature request: Improve default malware detection exclusions

Re: Feature request: Improve default malware detection exclusions

Who is online