Comprehensive data protection for all workloads
Dima P.
Product Manager
Posts: 14785
Liked: 1721 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. » 1 person likes this post

I'm not sure what can be done to make this better for VMs
That's on us now. We've been discussing lately that possibly, for Linux machines, we can investigate if rpms can be excluded from analysis as those usually cause the false-positives during the Linux machines upgrade. Will that cover your issue?
coolsport00
Veeam Legend
Posts: 134
Liked: 37 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 »

Possibly. As I'm sure you've seen, the false pos is/was caused by a threshold being "over" met between number of encrypted files created from the upgrade vs disk space? Something like that. Our Linux VMs, including appliances, generally have limited OS disk space allocated solely because not much is needed. Whatever you all can do to take that into consideration (small Linux VM disk size vs encrypted files "seen" for upgrades, etc), I'm all for.
Thanks Dima.
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
OashaP
Novice
Posts: 9
Liked: 2 times
Joined: Jan 10, 2024 7:34 am

Re: Malware detection, Ransomware Notice found

Post by OashaP »

Hi guys,

(I don't know if I should raise a ticket for this, use the feedback option at the bottom of the KB article, or if the R&D-Forum is the best option to bring up this topic.)

I just tried out the script for encrypted data and encountered something strange.

When I run it against a freshly created restore point that has been flagged with "Encrypted Data" it tries to mount the restore point as it should be.
But after a certain time, it throws an "Access denied" error and resumes with the second volume (the affected VM has 2 Volumes), which supposedly finishes successfully.

After taking a look inside the output folder I see 2 .CSV and 2 .TXT files - one for each volume.
Inside the .TXT files I can see the offset values listed.
The CSVs are, apart from the header titles for the columns, completely empty.

Does anyone know what could be causing this behavior?

Thanks in advance.
Dima P.
Product Manager
Posts: 14785
Liked: 1721 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Hello OashaP,

Thank you for your post. The issue might be cause by back file being locked (i.e. new job run or any secondary activity start). Can you please temporary disable all the jobs with the backup in the question, re run the utility and let us know if you see the same behavior? Thank you!
OashaP
Novice
Posts: 9
Liked: 2 times
Joined: Jan 10, 2024 7:34 am

Re: Malware detection, Ransomware Notice found

Post by OashaP »

Hey Dima,

unfortunately, it's still the same behavior - both .CSVs are empty (except the headlines) and both the offset .TXTs have data in them.
No job was running and all jobs regarding the VM in question have temporarily been disabled.
coolsport00
Veeam Legend
Posts: 134
Liked: 37 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 »

Hi @Dima -
Does your team need anything further on my end for my Linux VM issue? If not, I will go ahead and close my case. I just wanted to make sure you don't need anything further before I do.
Thanks for everything.
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Dima P.
Product Manager
Posts: 14785
Liked: 1721 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

OashaP,

Can you please raise a support case and share the case ID with me? I'll ask team to review the logs.
Dima P.
Product Manager
Posts: 14785
Liked: 1721 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Shane,

Thank you for all the logs and troubleshooting information. Looks like QA got everything we need now.

To sum up: the false positive caused by workload upgrade is now considered a known issue due to high amount of encrypted blocks delivered via Linux packages. As a workaround - exclude such machines from analytics if false-positive reports are causing too much troubles. We will continue working on this issue and plan to address it in the upcoming versions.
OashaP
Novice
Posts: 9
Liked: 2 times
Joined: Jan 10, 2024 7:34 am

Re: Malware detection, Ransomware Notice found

Post by OashaP » 1 person likes this post

@Dima

Sure thing. The Case Number is #07547118.
Hope you can find the cause for this strange behavior.

Thanks in advance. I'll keep you updated when I hear something from support.
coolsport00
Veeam Legend
Posts: 134
Liked: 37 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 » 1 person likes this post

@Dima -
That's a good summary. Great. I will close out my case with Michael. Let me know if we need to revisit.
Thanks.
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot] and 92 guests