Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

[pmichelli]

I got a warning that one of my servers has some potentially unwanted files on it. When I go to history, it is only giving me a summary of the file extensions. How can I see the path to the files it thinks are wrong? I started a virus scan on it from Veeam but it's taking ages. would be very useful if you told us the path to the files.

I see a summary like this :

*..txt 19
*.onelock 4
*.rdm 2

etc. It's nice to get notified but how can I triage this if I can't see the paths to these files?

[Gostev]

See here > C:\ProgramData\Veeam\Backup\Malware_Detection_Logs
We plan to add a link to logs directly to the event in the first patch.

[pmichelli]

Thank you ! Saved me running search inside the affected VMs. I can say with confidence, these are all false positives on my end. Excellent new feature you've added. Veeam is really adding great features with each release

[Gostev]

Thank you for your kind words! If these 3 extensions are "normal" and common in your environment, you can consider excluding them from monitoring completely so that you stop getting false positives in future. While we will keep monitoring the other 1000+ known malware extensions for you!

[BackItUp2020]

Is there anyway to detect this when triggered by the AI/ML inline scan? We do not have guest indexing on (so that directory does not exist for us), but we have an alert that leaves us hunting for the trigger.

We were able to ask around and see what changed recently. In our case, someone downloaded a 700MB password-protected ZIP file the day before, so we think that may have triggered it. But we have no definitive details other than "Anomaly Percentage: 6".

We felt safe putting the VM back into production after a Veeam and external scan, but really wish there was some insight available.

[Gostev]

This thread is about the functionality that detects file extensions used by malware. Inline scan will not be able to detect these because it looks at a data stream, as opposed to a file system (like guest file system indexing). Further, remember it gets to see changed blocks only, as opposed to the whole image with the entire file system. As such, it does not really "know" what file a particular suspicious disk block belongs too. There's a room for improvement here for sure, but as you can imagine it is not a simple task.

Compression can indeed cause false positives because compressed data is very much akin to encrypted data as far as entropy goes. Having said that, as we specifically trained and tuned our ML model further to avoid these false positives, in our testing we saw false positives remain only for one particular (and rare) compression tool, but not for ZIP.

Note that you can reduce detection thresholds slightly to reduce the chance of false positives. Don't consider defaults as "recommended". This is brand new functionality and we will keep tweaking detection settings and defaults in future versions based on the feedback from the field.

[BackItUp2020]

Very interesting! I would love to gather more insights as to how the event was triggered in any case. Thanks for the information!

[Gostev]

Compression can indeed cause false positives because compressed data is very much akin to encrypted data as far as entropy goes. Having said that, as we specifically trained and tuned our ML model further to avoid these false positives, in our testing we saw false positives remain only for one particular (and rare) compression tool, but not for ZIP.

Actually, I just saw in the User Guide that even this false positive I was talking about was addressed in the release version:
"If LZMA headers are found, they will be excluded from encrypted data calculation to decrease the number of false positive events."

[cricoinf]

See here > C:\ProgramData\Veeam\Backup\Malware_Detection_Logs
We plan to add a link to logs directly to the event in the first patch.

Should we be looking in this folder on the end point that is potentially impacted, on the VBR server, or the proxy server?
We have had some reports, my VBR server doesn't even have this folder the Malware_Detection_Logs folder in the ProgramData\Veeam\Backup\ folder on our VBR or VeeamOne servers.

[tyler.jurgens]

Look for the folder on your VBR server. However, it may only exist if you have Guest File System indexing enabled and Enterprise Manager installed.