Malware detection, Ransomware Notice found

[Dima P.]

Anyway we appear to have moved on, finally. We are unsure at the moment the value of enabling the Inline scan and will review the use of it

I'd say if you use inline scan and index scan together the resulting information is more accurate and sensitive because inline scan cant tell you what's affected but at the same time can identify the data being encrypted with new totally unknown ransomware family which is not listed in the SuspiciousFiles.xml yet. While old known ransomware tools can be caught via index analytics.

This file was driving me crazy. I was sure I understood the purpose

Saw this issue couple of times myself, shared my feedback with support management.

Also how can YARA rules be used to scan Linux VM backups? The Scan option is only available for Windows VM backups

Correct, AV scan and YARA scan functionality is currently aimed at Windows machines. We plan to add ability to scan Linux machines in next versions.

[victor.bylin@atea.se]

Hi,

I think this feature has been implemented wrong. I understand that you at Veeam want to push customers to the hole suite. But to create an alarm that says that you have a ransomware note then have no option to view more information without buying the hole suite. I think that is just wrong. If you want it to just be possible to check Ransomware notes in full suite. Then just present that alarm where the hole suite is licensed. But personally i don't see why the Ransomware notes path is not just logged where file extension(suspicious file extensions) alarm for example is logged.

[Dima P.]

Hello Victor,

The reason behind this is not licensing. Inline detection does not work on the file system level, instead it tracks the suspicious patterns on a block level, while data is being transferred through a backup proxy. As such, we don't know which specific file is encrypted, contains ransomware note or .onion links.

So for this particular detection engine, currently the only way to find out the path of the impacted file is with an antivirus scan (the feature is available in all editions), with the FINDSTR utility, or with the YARA utility. Only automated YARA scans require the suite.

Thank you!

[JaySt]

boy was i disappointed today to learn a VUL license (having enterprise plus feature set) would not be enough to use the manually started yara scanning post-backup (the "scan backup" functionality on a VM that triggered a ransomware note malware detection event after inline scanning completed).
"Yara scan functionality is not available in your Veeam Data Platform edition."

when looking at the feature compare pdf at https://www.veeam.com/veeam_data_platfo ... son_ds.pdf, i can see some requirements for the advanced or premium suite being described, but hats off to anyone who was able to get that fact out of the document. by reading the doc, I can sort of conclude automated surebackup configuration would not let you use yara scanning and the "secure restore" feature -as part of the actual restore- would not let you use yara scanning. But i was not expecting the manually started scan would also require the advanced or premium suite. Bummer for all those customers that we got so far to upgrade their lower edition socket based licensing to Enterprise Plus features set VUL licensing. I understand Veeam needs to draw the line somewhere when mapping features to editions&suites, but imho this line is misplaced in this specific case.

[JaySt]

Additional view on this, as it kind of bothers me quite heavily:
Customer with a few 100 vms running VUL ent plus upgraded to 12.1.1. Wanted to enable inline scanning, but not index scanning due to efforts needed for the job reconfiguration regarding guest integration etc. So off we went. After some time, 10 or so vms got marked by malware detection with ransomware note remarks. Hard stop. How does Veeam expect admins to react to such events while given zero information about what and where , with all things “ransomware” setting off all kinds of thoughts and worries. Why would this alert be given without further means or anything,
So we had the suggestion to do some manual yara scanning for one of the vms, as it is better than the suggestion to do a FINDSTR across the vm (really?). And then again a hard stop on the license.
Inline scanning would probably be better implemented if it would only report on suspicious change activity only when not on advanced or premium suite.

[Dima P.]

Hello JaySt,

hats off to anyone who was able to get that fact out of the document. by reading the doc, I can sort of conclude automated surebackup configuration would not let you use yara scanning and the "secure restore" feature -as part of the actual restore- would not let you use yara scanning. But i was not expecting the manually started scan would also require the advanced or premium suite.

Generally YARA scan is a part of SureBackup engine, so that's why the line 'YARA scan (*YARA Scan requires Advanced or Premium Edition)' was added to the SureBackup bullet. I agree that it should be more straight forward, will pass the feedback to our marketing team to avoid further confusion. Thank you for the feedback!

So we had the suggestion to do some manual yara scanning for one of the vms, as it is better than the suggestion to do a FINDSTR across the vm (really?). And then again a hard stop on the license.

Can you please elaborate why it's not possible to install a YARA engine manually to the machine and use the mentioned rule to search for the suspicious files with onion links or use the command line? I understand that this would be manual work, but it's totally free and does not require any licensing changes from the customer.

[JaySt]

yes i think there are multiple options to do manual steps regarding scanning. It's more that the most obvious way of doing it is right there from the Veeam console. all is in place already, just blocked by licensing. It's just that the blocking of the _manual_ yara scan by Veeam is up for discussion if you ask me. It's just does not make enough sense when looking at the way the software reports on malware events coming from inline scans.

[kevlahau]

Lots of info in respect of windows servers but what about Linux systems.. what do I look for in respect to "Ransomware note" and "Encrypted Data'?

[coolsport00]

Hello Daniel,

Thank you for the details, passed that to the Malware Detection team for a review. Regarding the malware note - indeed the exact location is currently not logged, we will note an improvement request. Thank you for your feedback!

Hi @Dima - I only run Inline Scanning myself...as I don't have Guest Indexing turned on in my Jobs (thus File system scan also not enabled). I'm also wanting 1. a dedicated log file for Inline Entropy scans, and if possible...way more details than the vague statements in the Details window. Read a couple of your comment responses on why this may not be possible...but if it can be, I'm a vote for YES! as well BTW..I'm working with support on all my Malware Detection questions, case#07128707 , in case you needed it.

@JaySt - I'm with you a little bit on the not being able to YARA scan ability. We're an SMB with Ent+, but only have Foundation, so not able to scan via YARA. Actually...for whatever reason, not able to scan for A/V either, but that's another issue (not lic) I think...

Another good thread! Thanks for all the info @Hannes @Dima @Gostev

[coolsport00]

Oh, btw...is there a way to scan, on Linux, for YARA or Onion links/files? I think what was posted earlier by @Dima is for Windows only?

Thanks!

[Dima P.]

Lots of info in respect of windows servers but what about Linux systems.. what do I look for in respect to "Ransomware note" and "Encrypted Data'?

Currently it's possibly only by installing the standalone YARA engine to a Linux machine.

I'm also wanting 1. a dedicated log file for Inline Entropy scans, and if possible...way more details than the vague statements in the Details window. Read a couple of your comment responses on why this may not be possible...but if it can be, I'm a vote for YES! as well

We are investigating the possibility, yes.

BTW..I'm working with support on all my Malware Detection questions, case#07128707 , in case you needed it.

Will look into this, thank you!

Oh, btw...is there a way to scan, on Linux, for YARA or Onion links/files? I think what was posted earlier by @Dima is for Windows only?

Correct for now it's a standalone manual scans only, but for sure we plan to add YARA scans for Linux to Veeam B&R in the upcoming releases.

[dellock6]

Shane,
if you mean to scan from Veeam, then it's a no. But actually, if it's a manual scan you can install Yara as a local tool inside the machine:
https://yara.readthedocs.io/en/stable/g ... arted.html

Or, not elegant and integrated like using VBR, you can even use sshfs and then you can think about scanning the machines remotely without installing yara on each node, if you have many machines.

[coolsport00]

Hi Luca -
Yeah...I think there's a tool created on the Community Hub I may try out which can be used for Linux. Thanks for the share!
Best.
Shane

[sergiosergio]

Hi there!

Last night I got a notification of "Potential malware activity detected". This is the history event:


I don't know how or where can I check what is the suspicious data, as there is no info about it nor a log file (Programdata\Veeam\Backup\Malware_Detection_Logs\suspicious_files_24-03-26.log has no info about this event)

Thank you in advance.

[HannesK]

Hello,
and welcome to the forums.

The answer to your question is covered above. The encryption was detected at block level and the software does not know which block is part of which file in this situation.

Best regards,
Hannes

[hensowi]

Hi everyone.

I too have a VM that is getting flagged with the malware detection, Ransomware notice found.

In digging into the system it seems there are valid files on the system that have .onion included. In this specific case it is due to the Brave browser Ad block filter files.

How do I keep the inline scan engine from flagging this VM after every backup with the malware detection, ransomware notice found alert? Is my only solution to exclude the entire VM from the malware scan?

Thanks,
Bill

Case # 07216523

[pankaj]

hi ..Also how can YARA rules be used to scan Linux VM backups?

Please share some steps with example..

[Dima P.]

Hello Pankaj,

Currently Veeam B&R offers a way to perform scan with Yara rules only for Windows machines but we're working to expand this to Linux as well. Thank you!