Comprehensive data protection for all workloads
Post Reply
pmichelli
Expert
Posts: 103
Liked: 29 times
Joined: Mar 16, 2023 5:47 pm
Contact:

Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by pmichelli » 1 person likes this post

I got a warning that one of my servers has some potentially unwanted files on it. When I go to history, it is only giving me a summary of the file extensions. How can I see the path to the files it thinks are wrong? I started a virus scan on it from Veeam but it's taking ages. would be very useful if you told us the path to the files.

I see a summary like this :

*..txt 19
*.onelock 4
*.rdm 2

etc. It's nice to get notified but how can I triage this if I can't see the paths to these files?
Gostev
Chief Product Officer
Posts: 31955
Liked: 7430 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by Gostev » 2 people like this post

See here > C:\ProgramData\Veeam\Backup\Malware_Detection_Logs
We plan to add a link to logs directly to the event in the first patch.
pmichelli
Expert
Posts: 103
Liked: 29 times
Joined: Mar 16, 2023 5:47 pm
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by pmichelli » 3 people like this post

Thank you ! Saved me running search inside the affected VMs. I can say with confidence, these are all false positives on my end. Excellent new feature you've added. Veeam is really adding great features with each release
Gostev
Chief Product Officer
Posts: 31955
Liked: 7430 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by Gostev » 2 people like this post

Thank you for your kind words! If these 3 extensions are "normal" and common in your environment, you can consider excluding them from monitoring completely so that you stop getting false positives in future. While we will keep monitoring the other 1000+ known malware extensions for you!
BackItUp2020
Enthusiast
Posts: 66
Liked: 3 times
Joined: Mar 24, 2020 6:36 pm
Full Name: M.S.
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by BackItUp2020 »

Is there anyway to detect this when triggered by the AI/ML inline scan? We do not have guest indexing on (so that directory does not exist for us), but we have an alert that leaves us hunting for the trigger.

We were able to ask around and see what changed recently. In our case, someone downloaded a 700MB password-protected ZIP file the day before, so we think that may have triggered it. But we have no definitive details other than "Anomaly Percentage: 6".

We felt safe putting the VM back into production after a Veeam and external scan, but really wish there was some insight available.
Gostev
Chief Product Officer
Posts: 31955
Liked: 7430 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by Gostev » 1 person likes this post

This thread is about the functionality that detects file extensions used by malware. Inline scan will not be able to detect these because it looks at a data stream, as opposed to a file system (like guest file system indexing). Further, remember it gets to see changed blocks only, as opposed to the whole image with the entire file system. As such, it does not really "know" what file a particular suspicious disk block belongs too. There's a room for improvement here for sure, but as you can imagine it is not a simple task.

Compression can indeed cause false positives because compressed data is very much akin to encrypted data as far as entropy goes. Having said that, as we specifically trained and tuned our ML model further to avoid these false positives, in our testing we saw false positives remain only for one particular (and rare) compression tool, but not for ZIP.

Note that you can reduce detection thresholds slightly to reduce the chance of false positives. Don't consider defaults as "recommended". This is brand new functionality and we will keep tweaking detection settings and defaults in future versions based on the feedback from the field.
BackItUp2020
Enthusiast
Posts: 66
Liked: 3 times
Joined: Mar 24, 2020 6:36 pm
Full Name: M.S.
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by BackItUp2020 »

Very interesting! I would love to gather more insights as to how the event was triggered in any case. Thanks for the information!
Gostev
Chief Product Officer
Posts: 31955
Liked: 7430 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by Gostev »

Gostev wrote: Jan 09, 2024 10:52 pmCompression can indeed cause false positives because compressed data is very much akin to encrypted data as far as entropy goes. Having said that, as we specifically trained and tuned our ML model further to avoid these false positives, in our testing we saw false positives remain only for one particular (and rare) compression tool, but not for ZIP.
Actually, I just saw in the User Guide that even this false positive I was talking about was addressed in the release version:
"If LZMA headers are found, they will be excluded from encrypted data calculation to decrease the number of false positive events."
cricoinf
Lurker
Posts: 1
Liked: never
Joined: Oct 28, 2015 12:43 pm
Full Name: CRICO Support
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by cricoinf »

Gostev wrote: Jan 03, 2024 5:30 pm See here > C:\ProgramData\Veeam\Backup\Malware_Detection_Logs
We plan to add a link to logs directly to the event in the first patch.
Should we be looking in this folder on the end point that is potentially impacted, on the VBR server, or the proxy server?
We have had some reports, my VBR server doesn't even have this folder the Malware_Detection_Logs folder in the ProgramData\Veeam\Backup\ folder on our VBR or VeeamOne servers.
tyler.jurgens
Veeam Legend
Posts: 418
Liked: 243 times
Joined: Apr 11, 2023 1:18 pm
Full Name: Tyler Jurgens
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by tyler.jurgens » 1 person likes this post

Look for the folder on your VBR server. However, it may only exist if you have Guest File System indexing enabled and Enterprise Manager installed.
Tyler Jurgens
Veeam Legend x3 | vExpert ** | VMCE | VCP 2020 | Tanzu Vanguard | VUG Canada Leader | VMUG Calgary Leader
Blog: https://explosive.cloud
Twitter: @Tyler_Jurgens BlueSky: @explosive.cloud
tkolstad
Influencer
Posts: 11
Liked: 1 time
Joined: Oct 11, 2011 2:16 pm
Full Name: Terence Kolstad
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by tkolstad »

Gostev wrote: Jan 03, 2024 5:30 pm See here > C:\ProgramData\Veeam\Backup\Malware_Detection_Logs
We plan to add a link to logs directly to the event in the first patch.
I have a couple customers now that are looking forward to VEEAM adding that link!! BUMP!
Gostev
Chief Product Officer
Posts: 31955
Liked: 7430 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by Gostev » 2 people like this post

This exchange happened a while ago, by now we're at the second 12.1 patch already :) so the link should be there at this time.
real_tarantoga
Expert
Posts: 107
Liked: 23 times
Joined: Aug 20, 2009 12:32 pm
Location: Germany
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by real_tarantoga »

I'm getting malware detection alerts, but I cannot find any folder C:\ProgramData\Veeam\Backup\Malware_Detection_Logs on the VBR Server.
Where to look at this elsewhere?
real_tarantoga
Expert
Posts: 107
Liked: 23 times
Joined: Aug 20, 2009 12:32 pm
Location: Germany
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by real_tarantoga »

And if it should be the VM path - where to look on a linux server? :)
real_tarantoga
Expert
Posts: 107
Liked: 23 times
Joined: Aug 20, 2009 12:32 pm
Location: Germany
Contact:

Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?

Post by real_tarantoga »

ah - ok. I've no active guest file indexing.
Post Reply

Who is online

Users browsing this forum: coolsport00, Google [Bot] and 90 guests