Malware detection, Ransomware Notice found

[Dima P.]

Hello guys,

Thank you for your feedback! Discussing the possible solution with our RnD folks!

[perjonsson1960]

Folks,

A few days ago I activated the Inline Scan for all VMs and physical machines.
And during the latest backup I got a Malware Event about an "Onion Link" in one of the VMs.
However, there doesn't seem to be any way to get information about that link, like the link itself and where it was found within the VM.

In the History pane, in "Malware Detection", it says:
"Warning [2024-06-01 21:17:27] Malware detection metadata has been analyzed: Malware activity detected, marking the restore point as suspicious"

And in "Malware Events" it just says:
"Potential malware activity detected"

And in the Inventory pane it just says "Status: Suspicious" and "Type: Onion Link".

This doesn't really tell me much... Where can I get information about what the Malware Detection actually found?

Kind regards,
PJ

[nvdwansem]

Is there any update on this matter?

[dali@iae.nl]

Cannot see the former reactions of this post anymore but have a request.
Now there is only the possibility to exclude a whole workload if you know it is clean.
But, for example, we see a lot of .rose extension at a lot of servers. In our case that is because it is an extension which Siemens Teamcenter/NX uses a lot.

And so there are a lot of extensions of applications which are also used by malware.
But you do not want to see them everyday again and again.

The extension should still be detected but the feature should be to filter out extensions in the logs files for specific paths or at least not mark them with suspicious.

[perjonsson1960]

I have also looked in the folder "C:\ProgramData\Veeam\Backup\Malware_Detection_Logs", but there is nothing there about this Malware Event.

[Dima P.]

Is there any update on this matter?

The issue with onion links sitting in the browsing cache is being investigated.

But, for example, we see a lot of .rose extension at a lot of servers. In our case that is because it is an extension which Siemens Teamcenter/NX uses a lot.

Such event is not related to the onion links, but a guest file index analysis. We will check the .rose extension with the team and adjust the current metrics accordingly. Thank you for your report!

The extension should still be detected but the feature should be to filter out extensions in the logs files for specific paths or at least not mark them with suspicious.

You can exclude specific extensions from analysis or paths that should not be checked during guest file index analysis. Thank you!

[perjonsson1960]

Same thing happened during the night with another VM. An Onion LInk event without any info about the link itself, or where it was found, and also no logfile.

[Mildur]

@perjonsson1960

Hi PJ

I moved your question to the existing discussion.
Please check the latest answers.
You can use a scan with Yara to find such files: post520282.html#p520282

There is also a known issue which being investigated. Onion links in your browser cache.

Best,
Fabian

[perjonsson1960]

I am not licensed to use YARA Scans. We have a legacy Enterprise Plus license which does not include that feature.

[coolsport00]

@perjonsson1960 - yeah..same. Can't do it natively within Veeam, but can do it manually within the system if you'd like

[perjonsson1960]

So for this particular detection engine, currently the only way to find out the path of the impacted file is with an antivirus scan (the feature is available in all editions), with the FINDSTR utility, or with the YARA utility. Only automated YARA scans require the suite.

Are you saying that a manual YARA scan using "Scan backup" should work in Enterprise Plus edition? Well, it doesn't. "Not available in your Veeam Data Platform edition".

PJ

[sherzig]

Hi @perjonsson1960 ,

you could use the “Disk Publishing” functionality. Simply present the backup on a system on which you have installed YARA. Have a look here: https://helpcenter.veeam.com/docs/backu ... n_api.html.

Cheers,
Steve

[Dima P.]

Hello PJ,

Are you saying that a manual YARA scan using "Scan backup" should work in Enterprise Plus edition? Well, it doesn't. "Not available in your Veeam Data Platform edition".

No, YARA is available for all Veeam Data Platform - Advanced and above. For old license types it is available for Veeam Availability Suite license of ENT+ (you license must have type suite which basically) means Veeam B&R and Veeam One.

For the approach described above license is not required as it's going to be standalone YARA tool run.

[mcz]

Such event is not related to the onion links, but a guest file index analysis. We will check the .rose extension with the team and adjust the current metrics accordingly. Thank you for your report!

Dima, will there be a patch released soon or will the improvement be shipped in the next product update?

[Dima P.]

Hello Michael,

The list of the known suspicions extensions is updated online, no need to wait for the patch. Our security team has confirmed that we can remove it, so we plan roll our updated list of suspicions extensions as soon as possible.

[thebdur]

I am also getting this message: Potential malware activity detected, type: Onion Link. I did the YARA scan and all it showed me was the pagefile.sys. This definitely looks like a false positive. How can I ignore these for now?

[mcz]

I have already added the .onion to the exclusion list, but nothing has happened so far, after every backup it triggers the malware detection and there are no logs in the mentioned path in the %programdata%...

[Dima P.]

I am also getting this message: Potential malware activity detected, type: Onion Link. I did the YARA scan and all it showed me was the pagefile.sys. This definitely looks like a false positive. How can I ignore these for now?

Can you please raise a support case and share the case ID with us! Thank you!

I have already added the .onion to the exclusion list, but nothing has happened so far, after every backup it triggers the malware detection and there are no logs in the mentioned path in the %programdata%...

Hello Michael, exclude / include masks are part of guest file indexing analysis while onion links are part of inline scan engine (block level), thus exclusions will work only if you have onion link detected by guest index analysis. Can you please scan the affected machine with the mentioned YARA rule and share the output with us? Will will help us to investigate it as false-positive and make all the needed fine tuning. Thank you!

[Dima P.]

we see a lot of .rose extension at a lot of servers. In our case that is because it is an extension which Siemens Teamcenter/NX uses a lot

.rose extension is now excluded from SuspiciousFiles.xml glossary. Updates are being propagated to web portal and should be automatically delivered to your Veeam B&R installations within 24 hour timeframe.

For offline installations please follow this guide: How to Manually Update Suspicious File List.

By the way, I'd recommend to update the SuspiciousFiles.xml even if you are not affected by the mentioned .rose extension false-positive as we constantly adjust the glossary with most recent malicious extensions discovered by our security team. Thank you!

[thebdur]

Can you please raise a support case and share the case ID with us! Thank you!

Case #07293960

[Dima P.]

I did the YARA scan and all it showed me was the pagefile.sys

We've identified the problem and RnD team is working on a fix. Thank you for all the reports raised related to this issue!

[mcz]

Same on my side, found a match in the pagefile.sys. Waiting for the fix then.

[stewsie]

Interesting that pagefile.sys is now being mentioned. I had mentioned this during a support call some months ago and there was no concern. Seemed very strange at the time

Also for some reason I am now unable to run YARA scans, they all just fail with various errors.

I have opened 02485007

[stewsie]

02485007 is the call I had open in February and I mentioned pagefile.sys in that case

[Joris360]

I'd like to at to this post. We also recently upgraded to V12.1 for a few environments, mostly to fix the numerous false positives/issues that came with malware scanning of V12.
Since V12.1, a lot of those "Onion link" events are reported for multiple VMs.

I've tried scanning for those files the following ways:
* Antivirus scanning from withing Veeam (Scan backup) = nothing found
* Yara rule scanning from within Veeam (scan backup) = only pagefile.sys detected
* Installing the Yara engine locally on the backup server, publish the disk to this server an perform manually Yara scanning = nothing found, lot of files not accessible
* command-line (findstr) scanning on the VM itself = lot of false positives/access denieds.

I've used the command/yara rules out of this thread but also from other sources. Non is giving an actual file with onion link as result.
The only results we get are either "pagefile.sys" or files which can't be checked (access denied).

This is causing a lot of unnecessary extra work for our helpdesk.
I've started a Veeam support case, ID #07297542

[mcz]

Dima, what I really don't understand is that it's hitting the pagefile.sys allthough we excluded it from the backup. How can that be the case?

[coolsport00]

After doing an AV scan where does Veeam place those scan logs? Have a potential issue going on after installing the 12.1.2 update.

[coolsport00]

Found it!
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

[Dima P.]

Hello folks,

The only results we get are either "pagefile.sys" or files which can't be checked (access denied). This is causing a lot of unnecessary extra work for our helpdesk. I've started a Veeam support case, ID #07297542

Sorry to hear that, we've identified this problem and working on a fix. Please stay tuned for the fix via our support channel.

Dima, what I really don't understand is that it's hitting the pagefile.sys allthough we excluded it from the backup. How can that be the case?

Pagefile is excluded correctly however if it's parts are physically allocated within the block where normal file resides (the file that must be included in the backup) we will store entire block including the file and such small portion of the pagefile in the backup. Based on our investigation such file parts are causing the mentioned false positive reports during inline scan.

After doing an AV scan where does Veeam place those scan logs? Have a potential issue going on after installing the 12.1.2 update... Found it!

Correct, you can go back to this session information via History node of Veeam B&R anytime you need.

[coolsport00]

Thanks Dima. I finally got to updating my environment to 12.1.2 and all of a sudden upon 1st run of a handful of B/U jobs I've gotten malware hits for 6 VMs! Now, history has told me they're false pos's cuz...up to this point, they have been. You may be interested to know the 1st VM I did an A/V scan on actually did seemingly have a 'trojan' file on it (Trojan:Win32/Leonem). It was on Win 2012 R2 so no native Defender on it. Thankfully Microsoft has a free nifty scan tool, MS Safety Scanner (https://learn.microsoft.com/en-us/defen ... r-download), which detected & removed the file. With all the false pos statements shared here, I thought it would be good to state the Malware Engine does have benefit (I've always said that).

I'm running scans on all my other VMs now. I hope the rest are false pos though!