Comprehensive data protection for all workloads
Post Reply
BackItUp2020
Enthusiast
Posts: 67
Liked: 4 times
Joined: Mar 24, 2020 6:36 pm
Full Name: M.S.
Contact:

"Baseline" file paths for Malware Scans / Exclusions - Temporary Solution

Post by BackItUp2020 »

While this isn't a great solution and I'm sure this feature will be refined over time, I had to do something to stop having alerts every time I do backups/inline malware analysis that sets off our CS team.

It would be great to have an "baseline" feature so that everything is scanned at the time of the malware enablement is considered safe. Or something along those lines.

My "fix":
This can definitely be refined much more and automated even more, but what I do is have the script search the log file of "detected" malware, and then export it to a txt file with some modifications so that I just copy and paste it into the XML I then use to re-import it back into the exclusion list. Get it? :) (Yes, that whole copy and paste part could be scripted as well).

Janky? Probably. Helpful? Yeah. After some time I can stop doing this and monitor for any changes or tweak as needed.

Requirement: Export the XML exception list that you have so you have a baseline XML to work with.

# Define the input file and output file
$inputFilePath = "C:\Setup\PSScripts\suspicious.log" # Path to your input file
$outputFilePath = "C:\Setup\PSScripts\suspiciousXml.txt" # Path to the output file

# Define the regex pattern to match the lines
$pattern = '(?<=\b[a-zA-Z0-9\-]+:\w+-\w+-\w+-\w+-\w+):(.+)'

# Read the content of the input file
$content = Get-Content -Path $inputFilePath

# Initialize an array to hold formatted paths
$formattedPaths = @()

# Use regex to match and extract the file path after the UUID
$content | ForEach-Object {
if ($_ -match $pattern) {
# The file path is captured in the first group of the match (.*)
$filePath = $matches[1]
$filePath

# Format the file path in the required XML-like structure
$formattedPaths += " <Item Type=""Absolute"">$filePath</Item>"
}
}

# Write the formatted paths to the output file
$formattedPaths | Set-Content -Path $outputFilePath

# Optional: Output to the console for confirmation
Write-Host "Formatted file paths have been saved to: $outputFilePath"
david.domask
Veeam Software
Posts: 2833
Liked: 647 times
Joined: Jun 28, 2016 12:12 pm
Contact:

Re: "Baseline" file paths for Malware Scans / Exclusions - Temporary Solution

Post by david.domask » 1 person likes this post

Hi BackItUp2020,

Thank you for sharing your script solution here.

As for the issue itself:

> It would be great to have an "baseline" feature so that everything is scanned at the time of the malware enablement is considered safe. Or something along those lines.

Do I get it correctly your request is that on the initial scan, no machines are marked as infected, and any file types found are automatically considered "safe"?

I understand that enabling the Malware Detection feature resulted in quite a few alerts, but particularly with inline scan analysis, the triggers are pretty specific.

Since you mention the Suspicious Files XML, I'm guessing that it's the Guest Indexing scan that is triggering a lot of alerts, but I'm not quite getting the request for change on this element, so if you can elaborate on your request, it would be much appreciated.

I think that not flagging potential vulnerabilities, even on first scan, is not ideal; the scan is looking for pretty specific triggers/artifacts to determine if there is something suspicious to be investigated, so might be better if we can understand why these alerts are being triggered and how to better address them.
David Domask | Product Management: Principal Analyst
BackItUp2020
Enthusiast
Posts: 67
Liked: 4 times
Joined: Mar 24, 2020 6:36 pm
Full Name: M.S.
Contact:

Re: "Baseline" file paths for Malware Scans / Exclusions - Temporary Solution

Post by BackItUp2020 »

Hi David!

Sorry, I was a little excited when I posted and obviously had some incorrect labeling.

I am referring to the "Enable guest file system indexing and malware detection" that utilizes the settings from the Malware Detection > File Detection > File system activity analysis settings.

Yes, you are correct. If there was a way to make the first run (or first week of runs?) be used to create a baseline and mark anything found as "safe", that would be helpful, at least for us. If it were machine-specific, that would be even better!

For example, we have a lot of 3rd party applications that use .onx file extension. I don't want to blanket ignore the .onx extension, so my script at least narrows it down a bit to the specific paths of those files and excludes them.

Right now, I have thousands of exclusions for files because I do find value in finding onx files, but I don't want to be alerted on the safe ones or have to mark the backups as "clean" every day.
Dima P.
Product Manager
Posts: 14833
Liked: 1785 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: "Baseline" file paths for Malware Scans / Exclusions - Temporary Solution

Post by Dima P. »

Hello BackItUp2020,

Can you please share the list of the extensions that caused false positives in your environment? You can PM me directly or open a support case for that as we would love to review those false positives and tune the engine based on your feedback. Thank you!
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 8 guests