-
- Product Manager
- Posts: 14684
- Liked: 1693 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Hello guys,
Thank you for your feedback! Discussing the possible solution with our RnD folks!
Thank you for your feedback! Discussing the possible solution with our RnD folks!
-
- Veteran
- Posts: 527
- Liked: 58 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
[MERGED] Malware Detection - Inline Scan
Folks,
A few days ago I activated the Inline Scan for all VMs and physical machines.
And during the latest backup I got a Malware Event about an "Onion Link" in one of the VMs.
However, there doesn't seem to be any way to get information about that link, like the link itself and where it was found within the VM.
In the History pane, in "Malware Detection", it says:
"Warning [2024-06-01 21:17:27] Malware detection metadata has been analyzed: Malware activity detected, marking the restore point as suspicious"
And in "Malware Events" it just says:
"Potential malware activity detected"
And in the Inventory pane it just says "Status: Suspicious" and "Type: Onion Link".
This doesn't really tell me much... Where can I get information about what the Malware Detection actually found?
Kind regards,
PJ
A few days ago I activated the Inline Scan for all VMs and physical machines.
And during the latest backup I got a Malware Event about an "Onion Link" in one of the VMs.
However, there doesn't seem to be any way to get information about that link, like the link itself and where it was found within the VM.
In the History pane, in "Malware Detection", it says:
"Warning [2024-06-01 21:17:27] Malware detection metadata has been analyzed: Malware activity detected, marking the restore point as suspicious"
And in "Malware Events" it just says:
"Potential malware activity detected"
And in the Inventory pane it just says "Status: Suspicious" and "Type: Onion Link".
This doesn't really tell me much... Where can I get information about what the Malware Detection actually found?
Kind regards,
PJ
-
- Enthusiast
- Posts: 47
- Liked: 10 times
- Joined: Oct 22, 2018 8:33 am
- Contact:
Re: Malware detection, Ransomware Notice found
Is there any update on this matter?
-
- Enthusiast
- Posts: 82
- Liked: 20 times
- Joined: Jan 17, 2022 10:31 am
- Full Name: Da Li
- Contact:
Re: Malware detection, Ransomware Notice found
Cannot see the former reactions of this post anymore but have a request.
Now there is only the possibility to exclude a whole workload if you know it is clean.
But, for example, we see a lot of .rose extension at a lot of servers. In our case that is because it is an extension which Siemens Teamcenter/NX uses a lot.
And so there are a lot of extensions of applications which are also used by malware.
But you do not want to see them everyday again and again.
The extension should still be detected but the feature should be to filter out extensions in the logs files for specific paths or at least not mark them with suspicious.
Now there is only the possibility to exclude a whole workload if you know it is clean.
But, for example, we see a lot of .rose extension at a lot of servers. In our case that is because it is an extension which Siemens Teamcenter/NX uses a lot.
And so there are a lot of extensions of applications which are also used by malware.
But you do not want to see them everyday again and again.
The extension should still be detected but the feature should be to filter out extensions in the logs files for specific paths or at least not mark them with suspicious.
-
- Veteran
- Posts: 527
- Liked: 58 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
Re: Malware Detection - Inline Scan
I have also looked in the folder "C:\ProgramData\Veeam\Backup\Malware_Detection_Logs", but there is nothing there about this Malware Event.
-
- Product Manager
- Posts: 14684
- Liked: 1693 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
The issue with onion links sitting in the browsing cache is being investigated.Is there any update on this matter?
Such event is not related to the onion links, but a guest file index analysis. We will check the .rose extension with the team and adjust the current metrics accordingly. Thank you for your report!But, for example, we see a lot of .rose extension at a lot of servers. In our case that is because it is an extension which Siemens Teamcenter/NX uses a lot.
You can exclude specific extensions from analysis or paths that should not be checked during guest file index analysis. Thank you!The extension should still be detected but the feature should be to filter out extensions in the logs files for specific paths or at least not mark them with suspicious.
-
- Veteran
- Posts: 527
- Liked: 58 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
Re: Malware Detection - Inline Scan
Same thing happened during the night with another VM. An Onion LInk event without any info about the link itself, or where it was found, and also no logfile.
-
- Product Manager
- Posts: 9777
- Liked: 2582 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Malware detection, Ransomware Notice found
@perjonsson1960
Hi PJ
I moved your question to the existing discussion.
Please check the latest answers.
You can use a scan with Yara to find such files: post520282.html#p520282
There is also a known issue which being investigated. Onion links in your browser cache.
Best,
Fabian
Hi PJ
I moved your question to the existing discussion.
Please check the latest answers.
You can use a scan with Yara to find such files: post520282.html#p520282
There is also a known issue which being investigated. Onion links in your browser cache.
Best,
Fabian
Product Management Analyst @ Veeam Software
-
- Veteran
- Posts: 527
- Liked: 58 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
Re: Malware detection, Ransomware Notice found
I am not licensed to use YARA Scans. We have a legacy Enterprise Plus license which does not include that feature.
-
- Veeam Legend
- Posts: 116
- Liked: 29 times
- Joined: Sep 11, 2012 12:00 pm
- Full Name: Shane Williford
- Location: Missouri, USA
- Contact:
Re: Malware detection, Ransomware Notice found
@perjonsson1960 - yeah..same. Can't do it natively within Veeam, but can do it manually within the system if you'd like
Shane Williford
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
-
- Veteran
- Posts: 527
- Liked: 58 times
- Joined: Jun 06, 2018 5:41 am
- Full Name: Per Jonsson
- Location: Sweden
- Contact:
Re: Malware detection, Ransomware Notice found
Are you saying that a manual YARA scan using "Scan backup" should work in Enterprise Plus edition? Well, it doesn't. "Not available in your Veeam Data Platform edition".Dima P. wrote: ↑Feb 05, 2024 3:36 pm So for this particular detection engine, currently the only way to find out the path of the impacted file is with an antivirus scan (the feature is available in all editions), with the FINDSTR utility, or with the YARA utility. Only automated YARA scans require the suite.
PJ
-
- Veeam Software
- Posts: 210
- Liked: 47 times
- Joined: Dec 05, 2018 2:44 pm
- Contact:
Re: Malware detection, Ransomware Notice found
Hi @perjonsson1960 ,
you could use the “Disk Publishing” functionality. Simply present the backup on a system on which you have installed YARA. Have a look here: https://helpcenter.veeam.com/docs/backu ... n_api.html.
Cheers,
Steve
you could use the “Disk Publishing” functionality. Simply present the backup on a system on which you have installed YARA. Have a look here: https://helpcenter.veeam.com/docs/backu ... n_api.html.
Cheers,
Steve
-
- Product Manager
- Posts: 14684
- Liked: 1693 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Hello PJ,
For the approach described above license is not required as it's going to be standalone YARA tool run.
No, YARA is available for all Veeam Data Platform - Advanced and above. For old license types it is available for Veeam Availability Suite license of ENT+ (you license must have type suite which basically) means Veeam B&R and Veeam One.Are you saying that a manual YARA scan using "Scan backup" should work in Enterprise Plus edition? Well, it doesn't. "Not available in your Veeam Data Platform edition".
For the approach described above license is not required as it's going to be standalone YARA tool run.
-
- Veeam Legend
- Posts: 943
- Liked: 217 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: Malware detection, Ransomware Notice found
Dima, will there be a patch released soon or will the improvement be shipped in the next product update?
-
- Product Manager
- Posts: 14684
- Liked: 1693 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Hello Michael,
The list of the known suspicions extensions is updated online, no need to wait for the patch. Our security team has confirmed that we can remove it, so we plan roll our updated list of suspicions extensions as soon as possible.
The list of the known suspicions extensions is updated online, no need to wait for the patch. Our security team has confirmed that we can remove it, so we plan roll our updated list of suspicions extensions as soon as possible.
-
- Novice
- Posts: 3
- Liked: 2 times
- Joined: Apr 26, 2023 5:32 pm
- Contact:
Re: Malware detection, Ransomware Notice found
I am also getting this message: Potential malware activity detected, type: Onion Link. I did the YARA scan and all it showed me was the pagefile.sys. This definitely looks like a false positive. How can I ignore these for now?
-
- Veeam Legend
- Posts: 943
- Liked: 217 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: Malware detection, Ransomware Notice found
I have already added the .onion to the exclusion list, but nothing has happened so far, after every backup it triggers the malware detection and there are no logs in the mentioned path in the %programdata%...
-
- Product Manager
- Posts: 14684
- Liked: 1693 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Can you please raise a support case and share the case ID with us! Thank you!
Hello Michael, exclude / include masks are part of guest file indexing analysis while onion links are part of inline scan engine (block level), thus exclusions will work only if you have onion link detected by guest index analysis. Can you please scan the affected machine with the mentioned YARA rule and share the output with us? Will will help us to investigate it as false-positive and make all the needed fine tuning. Thank you!I have already added the .onion to the exclusion list, but nothing has happened so far, after every backup it triggers the malware detection and there are no logs in the mentioned path in the %programdata%...
-
- Product Manager
- Posts: 14684
- Liked: 1693 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
.rose extension is now excluded from SuspiciousFiles.xml glossary. Updates are being propagated to web portal and should be automatically delivered to your Veeam B&R installations within 24 hour timeframe.we see a lot of .rose extension at a lot of servers. In our case that is because it is an extension which Siemens Teamcenter/NX uses a lot
For offline installations please follow this guide: How to Manually Update Suspicious File List.
By the way, I'd recommend to update the SuspiciousFiles.xml even if you are not affected by the mentioned .rose extension false-positive as we constantly adjust the glossary with most recent malicious extensions discovered by our security team. Thank you!
-
- Novice
- Posts: 3
- Liked: 2 times
- Joined: Apr 26, 2023 5:32 pm
- Contact:
-
- Product Manager
- Posts: 14684
- Liked: 1693 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
We've identified the problem and RnD team is working on a fix. Thank you for all the reports raised related to this issue!I did the YARA scan and all it showed me was the pagefile.sys
-
- Veeam Legend
- Posts: 943
- Liked: 217 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: Malware detection, Ransomware Notice found
Same on my side, found a match in the pagefile.sys. Waiting for the fix then.
-
- Veteran
- Posts: 281
- Liked: 24 times
- Joined: May 22, 2015 7:16 am
- Full Name: Paul
- Contact:
Re: Malware detection, Ransomware Notice found
Interesting that pagefile.sys is now being mentioned. I had mentioned this during a support call some months ago and there was no concern. Seemed very strange at the time
Also for some reason I am now unable to run YARA scans, they all just fail with various errors.
I have opened 02485007
Also for some reason I am now unable to run YARA scans, they all just fail with various errors.
I have opened 02485007
-
- Veteran
- Posts: 281
- Liked: 24 times
- Joined: May 22, 2015 7:16 am
- Full Name: Paul
- Contact:
Re: Malware detection, Ransomware Notice found
02485007 is the call I had open in February and I mentioned pagefile.sys in that case
-
- Novice
- Posts: 5
- Liked: 4 times
- Joined: Feb 19, 2024 8:36 am
- Contact:
Re: Malware detection, Ransomware Notice found
I'd like to at to this post. We also recently upgraded to V12.1 for a few environments, mostly to fix the numerous false positives/issues that came with malware scanning of V12.
Since V12.1, a lot of those "Onion link" events are reported for multiple VMs.
I've tried scanning for those files the following ways:
* Antivirus scanning from withing Veeam (Scan backup) = nothing found
* Yara rule scanning from within Veeam (scan backup) = only pagefile.sys detected
* Installing the Yara engine locally on the backup server, publish the disk to this server an perform manually Yara scanning = nothing found, lot of files not accessible
* command-line (findstr) scanning on the VM itself = lot of false positives/access denieds.
I've used the command/yara rules out of this thread but also from other sources. Non is giving an actual file with onion link as result.
The only results we get are either "pagefile.sys" or files which can't be checked (access denied).
This is causing a lot of unnecessary extra work for our helpdesk.
I've started a Veeam support case, ID #07297542
Since V12.1, a lot of those "Onion link" events are reported for multiple VMs.
I've tried scanning for those files the following ways:
* Antivirus scanning from withing Veeam (Scan backup) = nothing found
* Yara rule scanning from within Veeam (scan backup) = only pagefile.sys detected
* Installing the Yara engine locally on the backup server, publish the disk to this server an perform manually Yara scanning = nothing found, lot of files not accessible
* command-line (findstr) scanning on the VM itself = lot of false positives/access denieds.
I've used the command/yara rules out of this thread but also from other sources. Non is giving an actual file with onion link as result.
The only results we get are either "pagefile.sys" or files which can't be checked (access denied).
This is causing a lot of unnecessary extra work for our helpdesk.
I've started a Veeam support case, ID #07297542
-
- Veeam Legend
- Posts: 943
- Liked: 217 times
- Joined: Jul 19, 2016 8:39 am
- Full Name: Michael
- Location: Rheintal, Austria
- Contact:
Re: Malware detection, Ransomware Notice found
Dima, what I really don't understand is that it's hitting the pagefile.sys allthough we excluded it from the backup. How can that be the case?
-
- Veeam Legend
- Posts: 116
- Liked: 29 times
- Joined: Sep 11, 2012 12:00 pm
- Full Name: Shane Williford
- Location: Missouri, USA
- Contact:
Re: Malware detection, Ransomware Notice found
After doing an AV scan where does Veeam place those scan logs? Have a potential issue going on after installing the 12.1.2 update.
Shane Williford
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
-
- Veeam Legend
- Posts: 116
- Liked: 29 times
- Joined: Sep 11, 2012 12:00 pm
- Full Name: Shane Williford
- Location: Missouri, USA
- Contact:
Re: Malware detection, Ransomware Notice found
Shane Williford
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
-
- Product Manager
- Posts: 14684
- Liked: 1693 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Malware detection, Ransomware Notice found
Hello folks,
Sorry to hear that, we've identified this problem and working on a fix. Please stay tuned for the fix via our support channel.The only results we get are either "pagefile.sys" or files which can't be checked (access denied). This is causing a lot of unnecessary extra work for our helpdesk. I've started a Veeam support case, ID #07297542
Pagefile is excluded correctly however if it's parts are physically allocated within the block where normal file resides (the file that must be included in the backup) we will store entire block including the file and such small portion of the pagefile in the backup. Based on our investigation such file parts are causing the mentioned false positive reports during inline scan.Dima, what I really don't understand is that it's hitting the pagefile.sys allthough we excluded it from the backup. How can that be the case?
Correct, you can go back to this session information via History node of Veeam B&R anytime you need.After doing an AV scan where does Veeam place those scan logs? Have a potential issue going on after installing the 12.1.2 update... Found it!
-
- Veeam Legend
- Posts: 116
- Liked: 29 times
- Joined: Sep 11, 2012 12:00 pm
- Full Name: Shane Williford
- Location: Missouri, USA
- Contact:
Re: Malware detection, Ransomware Notice found
Thanks Dima. I finally got to updating my environment to 12.1.2 and all of a sudden upon 1st run of a handful of B/U jobs I've gotten malware hits for 6 VMs! Now, history has told me they're false pos's cuz...up to this point, they have been. You may be interested to know the 1st VM I did an A/V scan on actually did seemingly have a 'trojan' file on it (Trojan:Win32/Leonem). It was on Win 2012 R2 so no native Defender on it. Thankfully Microsoft has a free nifty scan tool, MS Safety Scanner (https://learn.microsoft.com/en-us/defen ... r-download), which detected & removed the file. With all the false pos statements shared here, I thought it would be good to state the Malware Engine does have benefit (I've always said that).
I'm running scans on all my other VMs now. I hope the rest are false pos though!
I'm running scans on all my other VMs now. I hope the rest are false pos though!
Shane Williford
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Systems Architect
Veeam Legend | Veeam Architect (VMCA) | VUG KC Leader
VMware VCAP/VCP | VMware vExpert 2011-22
Twitter: @coolsport00
Who is online
Users browsing this forum: Google [Bot] and 2 guests