Hi guys,
Running Microsoft's Hafnium compromise test on our Exchange server picks up Veeam Agent's .zip files in ProgramData as 'SuspiciousArchive', which apparently is a sign of Hafnium compromise (zip, rar and 7z files under ProgramData):
https://github.com/microsoft/CSS-Exchan ... /README.md
I realise this is Microsoft's issue, but I just thought I would mention it.
-
AlexLeadingEdge
- Veteran
- Posts: 472
- Liked: 59 times
- Joined: Dec 14, 2015 9:42 pm
- Contact:
-
Regnor
- VeeaMVP
- Posts: 1007
- Liked: 314 times
- Joined: Jan 31, 2011 11:17 am
- Full Name: Max
- Contact:
Re: Microsoft Hafnium Test Picks Up Veeam Agent As False Positive
This isn't a false positive per definition. As you say the script looks for any archives in the programdata folder, because it could be a sign of data export. On the other hand there are many other products which create archives there; so you wouldn't be able to filter out good and bad archives via script. This is always a manual task.
-
Dima P.
- Product Manager
- Posts: 14726
- Liked: 1707 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Microsoft Hafnium Test Picks Up Veeam Agent As False Positive
Hello Alex,
For the most AV vendors we usually submit our files as soon a we receive false positive detection but, as Max stated, there is nothing we can do about rules that aim file extensions. Cheers!
For the most AV vendors we usually submit our files as soon a we receive false positive detection but, as Max stated, there is nothing we can do about rules that aim file extensions. Cheers!
Who is online
Users browsing this forum: No registered users and 12 guests