[Feature Request] Inline detection marking shrunken files

[OashaP]

Good day everyone,

as I was cleaning up our Malware Detection events from Veeam's AI\ML Inline Scan, I was talking to a colleague who had several files deleted.
After he confirmed that this was a false positive, it was all fine and dandy.
He then suddenly asked if a Server had thrown any warnings too, since he had shrunken some files on this server by several tens of gigabytes a day prior.
But there was nothing in Veeam that would indicate this behavior.
I for my part, would be quite interested, if files suddenly lose their data without being deleted, since this work around for the bulk file deletion would still be detected.

Granted, we only have a Veeam B&R Server on 12.1.1, so if this kind of feature does exist in VeeamOne, we would not be able to leverage this.
But since the Inline Scan can find Bulk File Deletion and Encrypted Data, wouldn’t it be able to find drastically shrunken files too?

[Gostev]

Correct, there's no such functionality.

[OashaP]

Ok good to know that I did not overlook some configuration. Thanks for the clarification on this.

But is there a possibility to add this as a feature in the future or am I being just too paranoid on this?
Is it even implementable on a technical side?

[Gostev]

Technically it's possible:
- If the file size gets changed as a result, then we could potentially detect it with suspicious file system activity analysis engine and flag significant changes
- If the content gets zeroed out, then the file size does not change, however blocks getting zeroed out should be trivial to detect with inline data stream analysis (just like we detect today when blocks get encrypted)

But it starts from some malware samples that do this and I never heard of modern malware doing this kind of stuff? This means irreversible destruction of data and no way to get ransom.