That's on us now. We've been discussing lately that possibly, for Linux machines, we can investigate if rpms can be excluded from analysis as those usually cause the false-positives during the Linux machines upgrade. Will that cover your issue?I'm not sure what can be done to make this better for VMs
-
- Product Manager
- Posts: 14785
- Liked: 1721 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
-
- Veeam Legend
- Posts: 134
- Liked: 37 times
- Joined: Sep 11, 2012 12:00 pm
- Full Name: Shane Williford
- Location: Missouri, USA
- Contact:
Re: Malware detection, Ransomware Notice found
Possibly. As I'm sure you've seen, the false pos is/was caused by a threshold being "over" met between number of encrypted files created from the upgrade vs disk space? Something like that. Our Linux VMs, including appliances, generally have limited OS disk space allocated solely because not much is needed. Whatever you all can do to take that into consideration (small Linux VM disk size vs encrypted files "seen" for upgrades, etc), I'm all for.
Thanks Dima.
Thanks Dima.
Shane Williford
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
-
- Novice
- Posts: 9
- Liked: 2 times
- Joined: Jan 10, 2024 7:34 am
Re: Malware detection, Ransomware Notice found
Hi guys,
(I don't know if I should raise a ticket for this, use the feedback option at the bottom of the KB article, or if the R&D-Forum is the best option to bring up this topic.)
I just tried out the script for encrypted data and encountered something strange.
When I run it against a freshly created restore point that has been flagged with "Encrypted Data" it tries to mount the restore point as it should be.
But after a certain time, it throws an "Access denied" error and resumes with the second volume (the affected VM has 2 Volumes), which supposedly finishes successfully.
After taking a look inside the output folder I see 2 .CSV and 2 .TXT files - one for each volume.
Inside the .TXT files I can see the offset values listed.
The CSVs are, apart from the header titles for the columns, completely empty.
Does anyone know what could be causing this behavior?
Thanks in advance.
(I don't know if I should raise a ticket for this, use the feedback option at the bottom of the KB article, or if the R&D-Forum is the best option to bring up this topic.)
I just tried out the script for encrypted data and encountered something strange.
When I run it against a freshly created restore point that has been flagged with "Encrypted Data" it tries to mount the restore point as it should be.
But after a certain time, it throws an "Access denied" error and resumes with the second volume (the affected VM has 2 Volumes), which supposedly finishes successfully.
After taking a look inside the output folder I see 2 .CSV and 2 .TXT files - one for each volume.
Inside the .TXT files I can see the offset values listed.
The CSVs are, apart from the header titles for the columns, completely empty.
Does anyone know what could be causing this behavior?
Thanks in advance.
-
- Product Manager
- Posts: 14785
- Liked: 1721 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Hello OashaP,
Thank you for your post. The issue might be cause by back file being locked (i.e. new job run or any secondary activity start). Can you please temporary disable all the jobs with the backup in the question, re run the utility and let us know if you see the same behavior? Thank you!
Thank you for your post. The issue might be cause by back file being locked (i.e. new job run or any secondary activity start). Can you please temporary disable all the jobs with the backup in the question, re run the utility and let us know if you see the same behavior? Thank you!
-
- Novice
- Posts: 9
- Liked: 2 times
- Joined: Jan 10, 2024 7:34 am
Re: Malware detection, Ransomware Notice found
Hey Dima,
unfortunately, it's still the same behavior - both .CSVs are empty (except the headlines) and both the offset .TXTs have data in them.
No job was running and all jobs regarding the VM in question have temporarily been disabled.
unfortunately, it's still the same behavior - both .CSVs are empty (except the headlines) and both the offset .TXTs have data in them.
No job was running and all jobs regarding the VM in question have temporarily been disabled.
-
- Veeam Legend
- Posts: 134
- Liked: 37 times
- Joined: Sep 11, 2012 12:00 pm
- Full Name: Shane Williford
- Location: Missouri, USA
- Contact:
Re: Malware detection, Ransomware Notice found
Hi @Dima -
Does your team need anything further on my end for my Linux VM issue? If not, I will go ahead and close my case. I just wanted to make sure you don't need anything further before I do.
Thanks for everything.
Does your team need anything further on my end for my Linux VM issue? If not, I will go ahead and close my case. I just wanted to make sure you don't need anything further before I do.
Thanks for everything.
Shane Williford
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
-
- Product Manager
- Posts: 14785
- Liked: 1721 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
OashaP,
Can you please raise a support case and share the case ID with me? I'll ask team to review the logs.
Can you please raise a support case and share the case ID with me? I'll ask team to review the logs.
-
- Product Manager
- Posts: 14785
- Liked: 1721 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Shane,
Thank you for all the logs and troubleshooting information. Looks like QA got everything we need now.
To sum up: the false positive caused by workload upgrade is now considered a known issue due to high amount of encrypted blocks delivered via Linux packages. As a workaround - exclude such machines from analytics if false-positive reports are causing too much troubles. We will continue working on this issue and plan to address it in the upcoming versions.
Thank you for all the logs and troubleshooting information. Looks like QA got everything we need now.
To sum up: the false positive caused by workload upgrade is now considered a known issue due to high amount of encrypted blocks delivered via Linux packages. As a workaround - exclude such machines from analytics if false-positive reports are causing too much troubles. We will continue working on this issue and plan to address it in the upcoming versions.
-
- Novice
- Posts: 9
- Liked: 2 times
- Joined: Jan 10, 2024 7:34 am
Re: Malware detection, Ransomware Notice found
@Dima
Sure thing. The Case Number is #07547118.
Hope you can find the cause for this strange behavior.
Thanks in advance. I'll keep you updated when I hear something from support.
Sure thing. The Case Number is #07547118.
Hope you can find the cause for this strange behavior.
Thanks in advance. I'll keep you updated when I hear something from support.
-
- Veeam Legend
- Posts: 134
- Liked: 37 times
- Joined: Sep 11, 2012 12:00 pm
- Full Name: Shane Williford
- Location: Missouri, USA
- Contact:
Re: Malware detection, Ransomware Notice found
@Dima -
That's a good summary. Great. I will close out my case with Michael. Let me know if we need to revisit.
Thanks.
That's a good summary. Great. I will close out my case with Michael. Let me know if we need to revisit.
Thanks.
Shane Williford
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Who is online
Users browsing this forum: Ahrefs [Bot], Google [Bot] and 92 guests