Full path to suspicious files found

Post by **JaySt** » Dec 07, 2023 8:26 am this post

what's the reason we're not seeing the filename and full path to the files marked as suspicious by the suspicious activity detection mechanism?
i'm seeing only a detection count of a file extension, but that's pretty much it.

Post by **Dima P.** » Dec 07, 2023 8:45 am this post

Hello Jay,

What type of event you are referring to (inline scan or index scan)? Thank you!

Post by **JaySt** » Dec 07, 2023 9:19 am this post

index scan

Post by **Dima P.** » Dec 07, 2023 10:51 am this post

Understood, thank you! For index scan you can check this log folder for more details, all the paths are displayed in the log C:\ProgramData\Veeam\Backup\Malware_Detection_Logs

Code: Select all

[30.11.2023 08:56:51.997]    <55> Warning (3)    -_-:c7f43dde-ce3e-42c1-9dc7-c830923a4fa1:c:\Ransomware too - Copy - Copy\Microsoft Hyper-V Servers.onion - Copy - Copy:Server01.8bd0ee63-23ac-46c7-9a03-6878eabc6b8aD2022-03-02T094415_6ED3 - Copy (2).onion
[30.11.2023 08:56:51.997]    <55> Warning (3)   -_-:c7f43dde-ce3e-42c1-9dc7-c830923a4fa1:c:\Ransomware too - Copy - Copy\Microsoft Hyper-V Servers.onion - Copy - Copy:Server01.8bd0ee63-23ac-46c7-9a03-6878eabc6b8aD2022-03-02T094415_6ED3 - Copy - Copy.onion

Post by **Gostev** » Dec 07, 2023 11:06 am this post

The reason is we can't put this data in the configuration database is it will bloat it instantly.
@Dima P. but do we refer users to the log file in the event? We should.

Post by **Dima P.** » Dec 07, 2023 11:10 am this post

Currently there is no reference to the log location. We have an idea create a dedicated csv report which will contain all details related to recent malware discoveries (similar to skipped files in NAS backup).

Dec 07, 2023 2:28 pm

Yes that's a pretty good reason.
good stuff! Looking forward to some better visibility/accessibility one way or another. A .csv report sounds great.

Post by **ReKe** » Dec 07, 2023 8:01 pm this post

Maybe it is possible to create a Windows-Eventlog that can be monitored. It should include the Jobname and the File with the Filepath.

Dec 07, 2023 10:30 pm

ReKe,

Windows events are already created: everything you get in as malware event is being automagically recorded to Windows event log (as well as can be translated to any Syslog server). Listing all the file names in a single event could easily make the UI unreadable and unusable (imagine the entire machine was encrypted and every single file on the file system should be listed in the UI / log or event), a dedicated csv report saves you from this trouble but still makes an investigation easy. Thanks!

Post by **DaStivi** » Dec 11, 2023 8:05 am this post

Dima P. wrote: ↑Dec 07, 2023 10:51 am Understood, thank you! For index scan you can check this log folder for more details, all the paths are displayed in the log C:\ProgramData\Veeam\Backup\Malware_Detection_Logs
Code: Select all
[30.11.2023 08:56:51.997]    <55> Warning (3)    -_-:c7f43dde-ce3e-42c1-9dc7-c830923a4fa1:c:\Ransomware too - Copy - Copy\Microsoft Hyper-V Servers.onion - Copy - Copy:Server01.8bd0ee63-23ac-46c7-9a03-6878eabc6b8aD2022-03-02T094415_6ED3 - Copy (2).onion
[30.11.2023 08:56:51.997]    <55> Warning (3)   -_-:c7f43dde-ce3e-42c1-9dc7-c830923a4fa1:c:\Ransomware too - Copy - Copy\Microsoft Hyper-V Servers.onion - Copy - Copy:Server01.8bd0ee63-23ac-46c7-9a03-6878eabc6b8aD2022-03-02T094415_6ED3 - Copy - Copy.onion

i've also warnings about "Potential malware activity detected" but i don't have this log folder... tried to find something in the logs from the VM but also nothing found there...

Eventlog, if it should be in the (new??) "Veeam Backup" Log, that was only 1MB in Size and it has been instantly overwriten, with "Veeam MP" messages...

Post by **Dima P.** » Dec 11, 2023 11:47 am this post

Hello DaStivi,

Can you share the text of the event from Veeam B&R console? Likely it's a inline detection which detects the presence of the encrypted data, ransomware notes or onion links.

Events with the following numbers under Veeam hive in the Windows event viewer like below, the full list is here: User Guide for VMware vSphere > Veeam Backup & Replication > Events > Security

Code: Select all

41600 Malware activity detected Potential malware activity <Activity name> has been detected for <Restore point ID> <Machine name> by <User name>. Rule name: <Rule name>. 

41610 Malware detection event resolved Malware detection event has been resolved for <Restore point ID> by <User name>. False positive: <State>.

42200 Malware detection session started Malware detection session has been started.

42210 Malware detection session finished Malware detection session has been finished with <State>.

R&D Forums

Full path to suspicious files found

Re: Full path to suspicious files found

Re: Full path to suspicious files found

Re: Full path to suspicious files found

Re: Full path to suspicious files found

Re: Full path to suspicious files found

Re: Full path to suspicious files found

Re: Full path to suspicious files found

Re: Full path to suspicious files found

Re: Full path to suspicious files found

Re: Full path to suspicious files found

Who is online