-
- Service Provider
- Posts: 457
- Liked: 87 times
- Joined: Jun 09, 2015 7:08 pm
- Full Name: JaySt
- Contact:
Full path to suspicious files found
what's the reason we're not seeing the filename and full path to the files marked as suspicious by the suspicious activity detection mechanism?
i'm seeing only a detection count of a file extension, but that's pretty much it.
i'm seeing only a detection count of a file extension, but that's pretty much it.
Veeam Certified Engineer
-
- Product Manager
- Posts: 14784
- Liked: 1721 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Full path to suspicious files found
Hello Jay,
What type of event you are referring to (inline scan or index scan)? Thank you!
What type of event you are referring to (inline scan or index scan)? Thank you!
-
- Service Provider
- Posts: 457
- Liked: 87 times
- Joined: Jun 09, 2015 7:08 pm
- Full Name: JaySt
- Contact:
-
- Product Manager
- Posts: 14784
- Liked: 1721 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Full path to suspicious files found
Understood, thank you! For index scan you can check this log folder for more details, all the paths are displayed in the log C:\ProgramData\Veeam\Backup\Malware_Detection_Logs
Code: Select all
[30.11.2023 08:56:51.997] <55> Warning (3) -_-:c7f43dde-ce3e-42c1-9dc7-c830923a4fa1:c:\Ransomware too - Copy - Copy\Microsoft Hyper-V Servers.onion - Copy - Copy:Server01.8bd0ee63-23ac-46c7-9a03-6878eabc6b8aD2022-03-02T094415_6ED3 - Copy (2).onion
[30.11.2023 08:56:51.997] <55> Warning (3) -_-:c7f43dde-ce3e-42c1-9dc7-c830923a4fa1:c:\Ransomware too - Copy - Copy\Microsoft Hyper-V Servers.onion - Copy - Copy:Server01.8bd0ee63-23ac-46c7-9a03-6878eabc6b8aD2022-03-02T094415_6ED3 - Copy - Copy.onion
-
- Chief Product Officer
- Posts: 31964
- Liked: 7435 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Full path to suspicious files found
The reason is we can't put this data in the configuration database is it will bloat it instantly.
@Dima P. but do we refer users to the log file in the event? We should.
@Dima P. but do we refer users to the log file in the event? We should.
-
- Product Manager
- Posts: 14784
- Liked: 1721 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Full path to suspicious files found
Currently there is no reference to the log location. We have an idea create a dedicated csv report which will contain all details related to recent malware discoveries (similar to skipped files in NAS backup).
-
- Service Provider
- Posts: 457
- Liked: 87 times
- Joined: Jun 09, 2015 7:08 pm
- Full Name: JaySt
- Contact:
Re: Full path to suspicious files found
Yes that's a pretty good reason.
good stuff! Looking forward to some better visibility/accessibility one way or another. A .csv report sounds great.
good stuff! Looking forward to some better visibility/accessibility one way or another. A .csv report sounds great.
Veeam Certified Engineer
-
- Service Provider
- Posts: 34
- Liked: 3 times
- Joined: Apr 16, 2023 6:16 pm
- Contact:
Re: Full path to suspicious files found
Maybe it is possible to create a Windows-Eventlog that can be monitored. It should include the Jobname and the File with the Filepath.
-
- Product Manager
- Posts: 14784
- Liked: 1721 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Full path to suspicious files found
ReKe,
Windows events are already created: everything you get in as malware event is being automagically recorded to Windows event log (as well as can be translated to any Syslog server). Listing all the file names in a single event could easily make the UI unreadable and unusable (imagine the entire machine was encrypted and every single file on the file system should be listed in the UI / log or event), a dedicated csv report saves you from this trouble but still makes an investigation easy. Thanks!
Windows events are already created: everything you get in as malware event is being automagically recorded to Windows event log (as well as can be translated to any Syslog server). Listing all the file names in a single event could easily make the UI unreadable and unusable (imagine the entire machine was encrypted and every single file on the file system should be listed in the UI / log or event), a dedicated csv report saves you from this trouble but still makes an investigation easy. Thanks!
-
- Service Provider
- Posts: 311
- Liked: 47 times
- Joined: Jun 30, 2015 9:13 am
- Full Name: Stephan Lang
- Location: Austria
- Contact:
Re: Full path to suspicious files found
i've also warnings about "Potential malware activity detected" but i don't have this log folder... tried to find something in the logs from the VM but also nothing found there...Dima P. wrote: ↑Dec 07, 2023 10:51 am Understood, thank you! For index scan you can check this log folder for more details, all the paths are displayed in the log C:\ProgramData\Veeam\Backup\Malware_Detection_Logs
Code: Select all
[30.11.2023 08:56:51.997] <55> Warning (3) -_-:c7f43dde-ce3e-42c1-9dc7-c830923a4fa1:c:\Ransomware too - Copy - Copy\Microsoft Hyper-V Servers.onion - Copy - Copy:Server01.8bd0ee63-23ac-46c7-9a03-6878eabc6b8aD2022-03-02T094415_6ED3 - Copy (2).onion [30.11.2023 08:56:51.997] <55> Warning (3) -_-:c7f43dde-ce3e-42c1-9dc7-c830923a4fa1:c:\Ransomware too - Copy - Copy\Microsoft Hyper-V Servers.onion - Copy - Copy:Server01.8bd0ee63-23ac-46c7-9a03-6878eabc6b8aD2022-03-02T094415_6ED3 - Copy - Copy.onion
Eventlog, if it should be in the (new??) "Veeam Backup" Log, that was only 1MB in Size and it has been instantly overwriten, with "Veeam MP" messages...
-
- Product Manager
- Posts: 14784
- Liked: 1721 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Full path to suspicious files found
Hello DaStivi,
Can you share the text of the event from Veeam B&R console? Likely it's a inline detection which detects the presence of the encrypted data, ransomware notes or onion links.
Events with the following numbers under Veeam hive in the Windows event viewer like below, the full list is here: User Guide for VMware vSphere > Veeam Backup & Replication > Events > Security
Can you share the text of the event from Veeam B&R console? Likely it's a inline detection which detects the presence of the encrypted data, ransomware notes or onion links.
Events with the following numbers under Veeam hive in the Windows event viewer like below, the full list is here: User Guide for VMware vSphere > Veeam Backup & Replication > Events > Security
Code: Select all
41600 Malware activity detected Potential malware activity <Activity name> has been detected for <Restore point ID> <Machine name> by <User name>. Rule name: <Rule name>.
41610 Malware detection event resolved Malware detection event has been resolved for <Restore point ID> by <User name>. False positive: <State>.
42200 Malware detection session started Malware detection session has been started.
42210 Malware detection session finished Malware detection session has been finished with <State>.
Who is online
Users browsing this forum: Bing [Bot], Semrush [Bot] and 67 guests