Maleware Detection Settings

[OMW72]

Hi guys,
hope you´re well.
We have the following behaviour in our production environment.
The following path has been added in the trusted objects within the configured file mask part of the malware detection.

C:\VeeamFLR\v-epa-db1_f02a103a\Volume4\Oracle\fast_recovery_area\PEG1\FLASHBACK

Now it happens frequently that only the ID afte the VM name changed, therefore the the detection triggers an anlarm.
For this example from C:\VeeamFLR\v-epa-db1_f02a103a\Volume4\Oracle\fast_recovery_area\PEG1\FLASHBACK to C:\VeeamFLR\v-epa-db1_9141dd11\Volume4\Oracle\fast_recovery_area\PEG1\FLASHBACK

For us it is not clear why the ID is chaning from time to time.
Maybe you can help us out?

withe kind regards
Oliver

[rcocate]

Hi Oliver,

This ID change behavior seems to be related to the Veeam Analyzer service restarting daily and simultaneously starting the backup scan task on the mount server. Therefore, each session needs to be unique to facilitate information tracking.
In this case, the exception you applied could be considered the server's original path, or something like " *FLASHBACK " or part of the path "/PEG1/FLASHBACK" (if it's a Windows server, simply invert the \ ).
Another option would be to create a custom .xml file with the exceptions. You can see how to create it at the URL below, as well as understand how the other exception options can be configured.

https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best regards,
Rodrigo

[OMW72]

Hi Rodrigo,
Thanks for you quick response in this matter.
Just for clarification as far as this scenarion happens "Veeam Analyzer service restarting daily and simultaneously starting the backup scan" the ID 9141dd11 is changing into another one and we are gettin a Maleware alarm, correct?
We have only trusted objects for windows systems, that means we have the opportunity to invert the \ . For me it is not clear what I have to do.
Maybe you can send me based on that path: C:\VeeamFLR\v-epa-db1_f02a103a\Volume4\Oracle\fast_recovery_area\PEG1\FLASHBACK\ the adjustment that I have to do .
Thanks in Advance.

Oliver

[OMW72]

Hi Rodrigo,
Any news on this.

Regards,
Oliver

[sherzig]

Hi @OMW72

The ID in the C:\VeeamFLR<hostname><ID> folder is automatically generated by Veeam for each file-level restore session (also used by the scan process) to identify and separate different restore operations uniquely.

According to Veeam KB1999 https://www.veeam.com/kb1999, the C:\VeeamFLR path is generally recommended for exclusion from antivirus scans. However, please note that, in some cases, excluding this folder can prevent on-demand malware scans from functioning correctly, since some antivirus solutions will not scan excluded folders even when requested. Review your antivirus settings and the article’s notes to ensure compatibility with your security requirements.

Cheers,
Steve

[OMW72]

Hi Steve,
thanks for your explanation in this matter.
To be honest im little bit confused, because in this case we are adding the path in the trusted objects section in the section suspicious file we have only extension *.onion.
In my opinion the function should be hat the mailware detection only trigges an alarm if an extension *.onion has been recognized during the scan of a VM , correct?
I addition we added a lot of pathes into the section trusted objects. That means that this pathes are exlcluded from the scan, correct?
Finally we should only get an Malware dection if the scan finds the *.oninion.

In addition we activated the option "inline entropy analysis" the sensitivity is set to normal. Is this option responsible for the Malware dection alart --> Status suspicion --> Type encrypted data ?
The filter trusted objects that we can use in the part file detection is not active for the "inline entropy analysis" option, isn´t it ?

regards,
Oliver

[sherzig]

Hi Olivier

I think things are getting mixed up here. As discussed, the Scan Backup mounts the restore points in the C:\VeeamFLR directory.
https://helpcenter.veeam.com/docs/backu ... ackup.html

The exclusions you mentioned are not applied at all using the Scan Backup function. These come into play during the Guest Indexing Data Scan.https://helpcenter.veeam.com/docs/backu ... files.html

At the beginning, you asked why the ID in C:\VeeamFLR changes. My question is, what functionality are you now talking and what detection/product triggers an alarm?

Cheers,
Steve

[OMW72]

Hi Steve,
yes i am agree things get mixed up here.
The alarm ist listed under maleware events:
Name : v-epa-db1
Event created . 31.10.2025
Status: Suspicions
Activity date: 31.10.2025.21:01
Details: potential malware activity detected

We excuted the KB4643 to get more informations.

We are using the following functionality within the Malware Detection settings::
Encryption detection
File detection

What of them is triggers the potential malware activity detected alarm?

regards
Oliver

[sherzig]

Hi Olivier,

The KB article mentioned does not make sense in this context. Please check this table to see what triggers your events: https://helpcenter.veeam.com/docs/backu ... thods.html.

Encryption detection is handled by the inline scan, which happens during backup:https://helpcenter.veeam.com/docs/backu ... ml?ver=120

If it is still unclear, please contact your local Veeam SE or partner to analyze the issues in more detail.

Steve