Why is it so hard to find details of Malware Detections?

[sheru]

Trying to figure out what exactly was detected by Veeam can be a complete puzzle. For example, I recently had an onion link detected on a virtual appliance, but there was no information about which file triggered the alert. After digging a bit, I found out the detection came from the Inline Entropy Scan. The relevant log file for that is located at: C:\ProgramData\Veeam\Backup\Svc.VeeamDataAnalyzer.log. But here's the kicker: that log doesn’t actually provide detailed information about the file or path! Why? Because the scan happens at the block level while the data is in transit, so the system can’t pinpoint the actual file or its location.

Then there's another log location for File System Analysis scans: C:\ProgramData\Veeam\Backup\Malware_Detection_Logs. And for backup scans with Veeam Threat Hunter (Windows only), you'll find details under: C:\ProgramData\Veeam\Backup\FLRSessions\Windows\FLR__<machinename>_\Antivirus. This path is on the mount server. But again, this works only for Windows machines. Why is backup scanning not supported on Linux when FLR is available? That makes no sense. Will this improve in Veeam v13?

Now, imagine you've followed Veeam’s own best practice and disabled RDP on your backup server. To review a detection, you now have to manually log into the backup server and each mount server to hunt down various logs just to understand what was flagged.Why can’t we have a Inventory > Malware Detection or History > Malware Detectionscreen show all malware detection results and logs are available in one place?

[Mildur]

Hi Shareej,

Thank you for your honest feedback. We are aware that there is room for improvement in how our Malware Logs are presented to backup administrators. I hope that with the new Web UI in the future, we will be able to use different options for providing such logs.

For your two main questions:
1. You can use a script to list files and their path detected by our inline scan: https://www.veeam.com/kb4632
2. Veeam Threat Hunter for Linux will become available in V13.

Best,
Fabian

[sheru]

Thank you for the reply. Provided is greart resource to find when encrypted files detected. Is there such tools exist for other type of malware detection (eg: Ransom notes)?

[jan-bert]

Is there also a script for a linux VM?. The current script gives:

Start-VBRWindowsFileRestore : Failed to execute Windows File-Level Recovery from the specified restore point:
<Objectname">. Reason: Windows FLR is not supported for Virtual machines with Linux OS.

[RexfordHaugen_COLT]

The way I solved this was to create a SureBackup job to scan all backups with the Veeam Threat Hunter and then a scheduled task to run a PowerShell script looking for the text "Threat found". The script is scheduled to run after the completion of the SureBackup process, though I currently do that through Task Schedular and use an estimate for when it should be complete.

Code: Select all

### Define Variables ###
$emailFrom = "$env:COMPUTERNAME <<Sender Address>>"
$emailTo = "<Destination Address>"
$emailSubject = "Veeam Threat Hunter Results - $(get-date -format 'yyyy-MM-dd')"
$emailBody = "Veeam Threat Hunter Results:<br><br>"
$emailServer = "<SMTP Server Name>"
$emailPort = "25"

### Collect matching lines from log files ###
$results = Get-ChildItem -Recurse -Path C:\ProgramData\Veeam\Backup\FLRSessions -Filter "Veeam_Threat_Hunter-*.log" | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)} | Get-Content | Select-String -AllMatches "Threat found" | select @{N=’Detections’; E={$_.Line}}

### Create email body ###
$emailBody += ($results | ConvertTo-Html -Property Detections -Fragment)

### Send email message ###
try {
    Send-MailMessage -From $emailFrom -To $emailTo -Subject $emailSubject -Body $emailBody -BodyAsHtml -SmtpServer $emailServer -Port $emailPort -UseSsl
} catch {
    exit 1
}

### End of script ###
exit 0

[sherzig]

This script may be helpful. If so, I will post a fix for it soon, as an error is currently displayed if the directories do not exist.

https://github.com/yetanothermightytool ... ction-logs

Cheers,
Steve

[sheru]

Thank you @RexfordHaugen_COLT,

I hope Veeam would add this as a builtin feature.

[tenjaminbanner]

I turned all the malware features off, as they're not worth the trouble. Seems like this was an afterthought feature created in order to check the box.

Veeam, be better please.

[richardbradley]

Hi Veeam R&D,
I am in complete agreement with this, as a VCSP partner with VSPC we have access to other alerts, but this doesn't help also.
We have tested everything we can with VBR, VONE and VSPC and cannot get any useful information on this.
Our only option is to have backup staff review a job alert and where threat hunter finds something, grab the log via the console or the above PS script and then pass onto the security team with the relevant logs. Additionally for clients on premise they would really only have the option to access the console on the VBR server itself via the the job statistics button to see the logs.

This is slow and clumsy, not user friendly and defeats all of Veeam's security and compliance changes to restrict access to the VBR server itself.
This really needs a better solution sooner!
Thanks again

[sheru]

This script may be helpful. If so, I will post a fix for it soon, as an error is currently displayed if the directories do not exist.

https://github.com/yetanothermightytool ... ction-logs

Cheers,
Steve

This is immensly helpful, when there is anything is there Malware Detection or FLR logs. Instead of manually search through multiple log files, this script gives one report with all the detection in past X days will all relevant informations. Great tool, thank you .

What is lacking, from Veeam side, is some detections (in my case, it reported as "infected", not suspecious), were no files are reported. We did a Backup scan, nothing found! Even opened a support case for the same (Case # 07779712), they also didn't find any trace of what was detected. Finally marked as clean and closed the case, but still no clue why there was a detection in the first place!

[sherzig]

Hi @sheru

It is difficult to determine from a distance which method marked the restore point as infected. Under this link, you will find a table showing which malware detection method marks the restore points as suspicious or infected.
https://helpcenter.veeam.com/docs/backu ... thods.html

As you can see, signature-based detection (Veeam Threat Hunter), third-party AV scans, or YARA scans mark the restore points as infected. These processes are triggered manually (scan, secure restore) or via SureBackup. And don't forget our Veeam Incident API. Manual marking is also possible. https://helpcenter.veeam.com/docs/backu ... tatus.html

You may then be able to narrow down the search for the culprit, because some process must have found something.
https://helpcenter.veeam.com/docs/backu ... vents.html

Cheers,
Steve