Comprehensive data protection for all workloads
Dima P.
Product Manager
Posts: 14538
Liked: 1610 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Hello guys,

Thank you for your feedback! Discussing the possible solution with our RnD folks!
perjonsson1960
Veteran
Posts: 496
Liked: 53 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

[MERGED] Malware Detection - Inline Scan

Post by perjonsson1960 »

Folks,

A few days ago I activated the Inline Scan for all VMs and physical machines.
And during the latest backup I got a Malware Event about an "Onion Link" in one of the VMs.
However, there doesn't seem to be any way to get information about that link, like the link itself and where it was found within the VM.

In the History pane, in "Malware Detection", it says:
"Warning [2024-06-01 21:17:27] Malware detection metadata has been analyzed: Malware activity detected, marking the restore point as suspicious"

And in "Malware Events" it just says:
"Potential malware activity detected"

And in the Inventory pane it just says "Status: Suspicious" and "Type: Onion Link".

This doesn't really tell me much... Where can I get information about what the Malware Detection actually found?

Kind regards,
PJ
nvdwansem
Enthusiast
Posts: 45
Liked: 8 times
Joined: Oct 22, 2018 8:33 am
Contact:

Re: Malware detection, Ransomware Notice found

Post by nvdwansem »

Is there any update on this matter?
dali@iae.nl
Enthusiast
Posts: 78
Liked: 16 times
Joined: Jan 17, 2022 10:31 am
Full Name: Da Li
Contact:

Re: Malware detection, Ransomware Notice found

Post by dali@iae.nl »

Cannot see the former reactions of this post anymore but have a request.
Now there is only the possibility to exclude a whole workload if you know it is clean.
But, for example, we see a lot of .rose extension at a lot of servers. In our case that is because it is an extension which Siemens Teamcenter/NX uses a lot.

And so there are a lot of extensions of applications which are also used by malware.
But you do not want to see them everyday again and again.

The extension should still be detected but the feature should be to filter out extensions in the logs files for specific paths or at least not mark them with suspicious.
perjonsson1960
Veteran
Posts: 496
Liked: 53 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Malware Detection - Inline Scan

Post by perjonsson1960 »

I have also looked in the folder "C:\ProgramData\Veeam\Backup\Malware_Detection_Logs", but there is nothing there about this Malware Event.
Dima P.
Product Manager
Posts: 14538
Liked: 1610 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Is there any update on this matter?
The issue with onion links sitting in the browsing cache is being investigated.
But, for example, we see a lot of .rose extension at a lot of servers. In our case that is because it is an extension which Siemens Teamcenter/NX uses a lot.
Such event is not related to the onion links, but a guest file index analysis. We will check the .rose extension with the team and adjust the current metrics accordingly. Thank you for your report!
The extension should still be detected but the feature should be to filter out extensions in the logs files for specific paths or at least not mark them with suspicious.
You can exclude specific extensions from analysis or paths that should not be checked during guest file index analysis. Thank you!
perjonsson1960
Veteran
Posts: 496
Liked: 53 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Malware Detection - Inline Scan

Post by perjonsson1960 »

Same thing happened during the night with another VM. An Onion LInk event without any info about the link itself, or where it was found, and also no logfile.
Mildur
Product Manager
Posts: 9009
Liked: 2380 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Malware detection, Ransomware Notice found

Post by Mildur »

@perjonsson1960

Hi PJ

I moved your question to the existing discussion.
Please check the latest answers.
You can use a scan with Yara to find such files: post520282.html#p520282

There is also a known issue which being investigated. Onion links in your browser cache.

Best,
Fabian
Product Management Analyst @ Veeam Software
perjonsson1960
Veteran
Posts: 496
Liked: 53 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Malware detection, Ransomware Notice found

Post by perjonsson1960 »

I am not licensed to use YARA Scans. We have a legacy Enterprise Plus license which does not include that feature.
coolsport00
Veeam Legend
Posts: 101
Liked: 21 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 »

@perjonsson1960 - yeah..same. Can't do it natively within Veeam, but can do it manually within the system if you'd like
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
perjonsson1960
Veteran
Posts: 496
Liked: 53 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Malware detection, Ransomware Notice found

Post by perjonsson1960 »

Dima P. wrote: Feb 05, 2024 3:36 pm So for this particular detection engine, currently the only way to find out the path of the impacted file is with an antivirus scan (the feature is available in all editions), with the FINDSTR utility, or with the YARA utility. Only automated YARA scans require the suite.
Are you saying that a manual YARA scan using "Scan backup" should work in Enterprise Plus edition? Well, it doesn't. "Not available in your Veeam Data Platform edition".

PJ
sherzig
Veeam Software
Posts: 210
Liked: 47 times
Joined: Dec 05, 2018 2:44 pm
Contact:

Re: Malware detection, Ransomware Notice found

Post by sherzig »

Hi @perjonsson1960 ,

you could use the “Disk Publishing” functionality. Simply present the backup on a system on which you have installed YARA. Have a look here: https://helpcenter.veeam.com/docs/backu ... n_api.html.

Cheers,
Steve
Dima P.
Product Manager
Posts: 14538
Liked: 1610 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Hello PJ,
Are you saying that a manual YARA scan using "Scan backup" should work in Enterprise Plus edition? Well, it doesn't. "Not available in your Veeam Data Platform edition".
No, YARA is available for all Veeam Data Platform - Advanced and above. For old license types it is available for Veeam Availability Suite license of ENT+ (you license must have type suite which basically) means Veeam B&R and Veeam One.

For the approach described above license is not required as it's going to be standalone YARA tool run.
mcz
Veeam Legend
Posts: 882
Liked: 191 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by mcz »

Dima P. wrote: Jun 03, 2024 9:35 am Such event is not related to the onion links, but a guest file index analysis. We will check the .rose extension with the team and adjust the current metrics accordingly. Thank you for your report!
Dima, will there be a patch released soon or will the improvement be shipped in the next product update?
Dima P.
Product Manager
Posts: 14538
Liked: 1610 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

Hello Michael,

The list of the known suspicions extensions is updated online, no need to wait for the patch. Our security team has confirmed that we can remove it, so we plan roll our updated list of suspicions extensions as soon as possible.
thebdur
Novice
Posts: 3
Liked: 2 times
Joined: Apr 26, 2023 5:32 pm
Contact:

Re: Malware detection, Ransomware Notice found

Post by thebdur » 1 person likes this post

I am also getting this message: Potential malware activity detected, type: Onion Link. I did the YARA scan and all it showed me was the pagefile.sys. This definitely looks like a false positive. How can I ignore these for now?
mcz
Veeam Legend
Posts: 882
Liked: 191 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by mcz »

I have already added the .onion to the exclusion list, but nothing has happened so far, after every backup it triggers the malware detection and there are no logs in the mentioned path in the %programdata%...
Dima P.
Product Manager
Posts: 14538
Liked: 1610 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

thebdur wrote: Jun 06, 2024 8:47 pm I am also getting this message: Potential malware activity detected, type: Onion Link. I did the YARA scan and all it showed me was the pagefile.sys. This definitely looks like a false positive. How can I ignore these for now?
Can you please raise a support case and share the case ID with us! Thank you!
I have already added the .onion to the exclusion list, but nothing has happened so far, after every backup it triggers the malware detection and there are no logs in the mentioned path in the %programdata%...
Hello Michael, exclude / include masks are part of guest file indexing analysis while onion links are part of inline scan engine (block level), thus exclusions will work only if you have onion link detected by guest index analysis. Can you please scan the affected machine with the mentioned YARA rule and share the output with us? Will will help us to investigate it as false-positive and make all the needed fine tuning. Thank you!
Dima P.
Product Manager
Posts: 14538
Liked: 1610 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. »

we see a lot of .rose extension at a lot of servers. In our case that is because it is an extension which Siemens Teamcenter/NX uses a lot
.rose extension is now excluded from SuspiciousFiles.xml glossary. Updates are being propagated to web portal and should be automatically delivered to your Veeam B&R installations within 24 hour timeframe.

For offline installations please follow this guide: How to Manually Update Suspicious File List.

By the way, I'd recommend to update the SuspiciousFiles.xml even if you are not affected by the mentioned .rose extension false-positive as we constantly adjust the glossary with most recent malicious extensions discovered by our security team. Thank you!
thebdur
Novice
Posts: 3
Liked: 2 times
Joined: Apr 26, 2023 5:32 pm
Contact:

Re: Malware detection, Ransomware Notice found

Post by thebdur » 1 person likes this post

Dima P. wrote: Jun 07, 2024 8:47 am Can you please raise a support case and share the case ID with us! Thank you!
Case #07293960
Dima P.
Product Manager
Posts: 14538
Liked: 1610 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. » 1 person likes this post

I did the YARA scan and all it showed me was the pagefile.sys
We've identified the problem and RnD team is working on a fix. Thank you for all the reports raised related to this issue!
mcz
Veeam Legend
Posts: 882
Liked: 191 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by mcz » 1 person likes this post

Same on my side, found a match in the pagefile.sys. Waiting for the fix then.
stewsie
Veteran
Posts: 262
Liked: 22 times
Joined: May 22, 2015 7:16 am
Full Name: Paul
Contact:

Re: Malware detection, Ransomware Notice found

Post by stewsie »

Interesting that pagefile.sys is now being mentioned. I had mentioned this during a support call some months ago and there was no concern. Seemed very strange at the time

Also for some reason I am now unable to run YARA scans, they all just fail with various errors.

I have opened 02485007
stewsie
Veteran
Posts: 262
Liked: 22 times
Joined: May 22, 2015 7:16 am
Full Name: Paul
Contact:

Re: Malware detection, Ransomware Notice found

Post by stewsie »

02485007 is the call I had open in February and I mentioned pagefile.sys in that case
Joris360
Novice
Posts: 5
Liked: 4 times
Joined: Feb 19, 2024 8:36 am
Contact:

Re: Malware detection, Ransomware Notice found

Post by Joris360 » 1 person likes this post

I'd like to at to this post. We also recently upgraded to V12.1 for a few environments, mostly to fix the numerous false positives/issues that came with malware scanning of V12.
Since V12.1, a lot of those "Onion link" events are reported for multiple VMs.

I've tried scanning for those files the following ways:
* Antivirus scanning from withing Veeam (Scan backup) = nothing found
* Yara rule scanning from within Veeam (scan backup) = only pagefile.sys detected
* Installing the Yara engine locally on the backup server, publish the disk to this server an perform manually Yara scanning = nothing found, lot of files not accessible
* command-line (findstr) scanning on the VM itself = lot of false positives/access denieds.

I've used the command/yara rules out of this thread but also from other sources. Non is giving an actual file with onion link as result.
The only results we get are either "pagefile.sys" or files which can't be checked (access denied).

This is causing a lot of unnecessary extra work for our helpdesk.
I've started a Veeam support case, ID #07297542
mcz
Veeam Legend
Posts: 882
Liked: 191 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: Malware detection, Ransomware Notice found

Post by mcz » 1 person likes this post

Dima, what I really don't understand is that it's hitting the pagefile.sys allthough we excluded it from the backup. How can that be the case?
coolsport00
Veeam Legend
Posts: 101
Liked: 21 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 »

After doing an AV scan where does Veeam place those scan logs? Have a potential issue going on after installing the 12.1.2 update.
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
coolsport00
Veeam Legend
Posts: 101
Liked: 21 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 »

Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Dima P.
Product Manager
Posts: 14538
Liked: 1610 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Malware detection, Ransomware Notice found

Post by Dima P. » 1 person likes this post

Hello folks,
The only results we get are either "pagefile.sys" or files which can't be checked (access denied). This is causing a lot of unnecessary extra work for our helpdesk. I've started a Veeam support case, ID #07297542
Sorry to hear that, we've identified this problem and working on a fix. Please stay tuned for the fix via our support channel.
Dima, what I really don't understand is that it's hitting the pagefile.sys allthough we excluded it from the backup. How can that be the case?
Pagefile is excluded correctly however if it's parts are physically allocated within the block where normal file resides (the file that must be included in the backup) we will store entire block including the file and such small portion of the pagefile in the backup. Based on our investigation such file parts are causing the mentioned false positive reports during inline scan.
After doing an AV scan where does Veeam place those scan logs? Have a potential issue going on after installing the 12.1.2 update... Found it!
Correct, you can go back to this session information via History node of Veeam B&R anytime you need.
coolsport00
Veeam Legend
Posts: 101
Liked: 21 times
Joined: Sep 11, 2012 12:00 pm
Full Name: Shane Williford
Location: Missouri, USA
Contact:

Re: Malware detection, Ransomware Notice found

Post by coolsport00 » 3 people like this post

Thanks Dima. I finally got to updating my environment to 12.1.2 and all of a sudden upon 1st run of a handful of B/U jobs I've gotten malware hits for 6 VMs! Now, history has told me they're false pos's cuz...up to this point, they have been. You may be interested to know the 1st VM I did an A/V scan on actually did seemingly have a 'trojan' file on it (Trojan:Win32/Leonem). It was on Win 2012 R2 so no native Defender on it. Thankfully Microsoft has a free nifty scan tool, MS Safety Scanner (https://learn.microsoft.com/en-us/defen ... r-download), which detected & removed the file. With all the false pos statements shared here, I thought it would be good to state the Malware Engine does have benefit (I've always said that). ;)

I'm running scans on all my other VMs now. I hope the rest are false pos though! :)
Shane Williford
Systems Architect

Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 86 guests