Malware detection - Bulk file renaming

[adam900331]

Hy!

I have a file server, and nabled the indexing during backup. Last night I ran Windows Update and installed lots of update. The veeam has been reported the following after the server update:

Type: Bulk file renaming
Details: Potential malware activity detected: too many files have had their names changed since last backup, ensure they were not encrypted by ransomware

Are there any log where I can check which files modified?
Could there be a connection between the update and the many file changes?

Thanks.

[Mildur]

Hi Adam

There is no log yet for "bulk file renaming".
It should be added in the upcoming patch.

Could there be a connection between the update and the many file changes?

Yes, it's possible. Have you included %windir% in the guest file indexing options?

Best,
Fabian

[adam900331]

Hello Fabian,

Thanks. The guest file indexing option is:

Indexing everything expect:
- %windir%
- %ProgramFiles%
- %ProgramFiles(x86)%
- %ProgramW6432%
- %TEMP%

Is it meean that the indexing is not apply on %windir%?

Thanks.

[Gostev]

Correct.

[adam900331]

Thanks. But how can I identify that it is a false warning (so not malware activities) or not?

[Gostev]

See the previous reply, the conventient way is coming.

[Gostev]

And until this log is available, you can use the Compare to Production functionality of the File-Level Recovery wizard to see all the changed files between the selected restore point and production environment.

[adam900331]

Thanks!