-
- Expert
- Posts: 103
- Liked: 29 times
- Joined: Mar 16, 2023 5:47 pm
- Contact:
Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
I got a warning that one of my servers has some potentially unwanted files on it. When I go to history, it is only giving me a summary of the file extensions. How can I see the path to the files it thinks are wrong? I started a virus scan on it from Veeam but it's taking ages. would be very useful if you told us the path to the files.
I see a summary like this :
*..txt 19
*.onelock 4
*.rdm 2
etc. It's nice to get notified but how can I triage this if I can't see the paths to these files?
I see a summary like this :
*..txt 19
*.onelock 4
*.rdm 2
etc. It's nice to get notified but how can I triage this if I can't see the paths to these files?
-
- Chief Product Officer
- Posts: 31955
- Liked: 7430 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
See here > C:\ProgramData\Veeam\Backup\Malware_Detection_Logs
We plan to add a link to logs directly to the event in the first patch.
We plan to add a link to logs directly to the event in the first patch.
-
- Expert
- Posts: 103
- Liked: 29 times
- Joined: Mar 16, 2023 5:47 pm
- Contact:
Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
Thank you ! Saved me running search inside the affected VMs. I can say with confidence, these are all false positives on my end. Excellent new feature you've added. Veeam is really adding great features with each release
-
- Chief Product Officer
- Posts: 31955
- Liked: 7430 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
Thank you for your kind words! If these 3 extensions are "normal" and common in your environment, you can consider excluding them from monitoring completely so that you stop getting false positives in future. While we will keep monitoring the other 1000+ known malware extensions for you!
-
- Enthusiast
- Posts: 66
- Liked: 3 times
- Joined: Mar 24, 2020 6:36 pm
- Full Name: M.S.
- Contact:
Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
Is there anyway to detect this when triggered by the AI/ML inline scan? We do not have guest indexing on (so that directory does not exist for us), but we have an alert that leaves us hunting for the trigger.
We were able to ask around and see what changed recently. In our case, someone downloaded a 700MB password-protected ZIP file the day before, so we think that may have triggered it. But we have no definitive details other than "Anomaly Percentage: 6".
We felt safe putting the VM back into production after a Veeam and external scan, but really wish there was some insight available.
We were able to ask around and see what changed recently. In our case, someone downloaded a 700MB password-protected ZIP file the day before, so we think that may have triggered it. But we have no definitive details other than "Anomaly Percentage: 6".
We felt safe putting the VM back into production after a Veeam and external scan, but really wish there was some insight available.
-
- Chief Product Officer
- Posts: 31955
- Liked: 7430 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
This thread is about the functionality that detects file extensions used by malware. Inline scan will not be able to detect these because it looks at a data stream, as opposed to a file system (like guest file system indexing). Further, remember it gets to see changed blocks only, as opposed to the whole image with the entire file system. As such, it does not really "know" what file a particular suspicious disk block belongs too. There's a room for improvement here for sure, but as you can imagine it is not a simple task.
Compression can indeed cause false positives because compressed data is very much akin to encrypted data as far as entropy goes. Having said that, as we specifically trained and tuned our ML model further to avoid these false positives, in our testing we saw false positives remain only for one particular (and rare) compression tool, but not for ZIP.
Note that you can reduce detection thresholds slightly to reduce the chance of false positives. Don't consider defaults as "recommended". This is brand new functionality and we will keep tweaking detection settings and defaults in future versions based on the feedback from the field.
Compression can indeed cause false positives because compressed data is very much akin to encrypted data as far as entropy goes. Having said that, as we specifically trained and tuned our ML model further to avoid these false positives, in our testing we saw false positives remain only for one particular (and rare) compression tool, but not for ZIP.
Note that you can reduce detection thresholds slightly to reduce the chance of false positives. Don't consider defaults as "recommended". This is brand new functionality and we will keep tweaking detection settings and defaults in future versions based on the feedback from the field.
-
- Enthusiast
- Posts: 66
- Liked: 3 times
- Joined: Mar 24, 2020 6:36 pm
- Full Name: M.S.
- Contact:
Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
Very interesting! I would love to gather more insights as to how the event was triggered in any case. Thanks for the information!
-
- Chief Product Officer
- Posts: 31955
- Liked: 7430 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
Actually, I just saw in the User Guide that even this false positive I was talking about was addressed in the release version:Gostev wrote: ↑Jan 09, 2024 10:52 pmCompression can indeed cause false positives because compressed data is very much akin to encrypted data as far as entropy goes. Having said that, as we specifically trained and tuned our ML model further to avoid these false positives, in our testing we saw false positives remain only for one particular (and rare) compression tool, but not for ZIP.
"If LZMA headers are found, they will be excluded from encrypted data calculation to decrease the number of false positive events."
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Oct 28, 2015 12:43 pm
- Full Name: CRICO Support
- Contact:
Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
Should we be looking in this folder on the end point that is potentially impacted, on the VBR server, or the proxy server?
We have had some reports, my VBR server doesn't even have this folder the Malware_Detection_Logs folder in the ProgramData\Veeam\Backup\ folder on our VBR or VeeamOne servers.
-
- Veeam Legend
- Posts: 418
- Liked: 243 times
- Joined: Apr 11, 2023 1:18 pm
- Full Name: Tyler Jurgens
- Contact:
Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
Look for the folder on your VBR server. However, it may only exist if you have Guest File System indexing enabled and Enterprise Manager installed.
Tyler Jurgens
Veeam Legend x3 | vExpert ** | VMCE | VCP 2020 | Tanzu Vanguard | VUG Canada Leader | VMUG Calgary Leader
Blog: https://explosive.cloud
Twitter: @Tyler_Jurgens BlueSky: @explosive.cloud
Veeam Legend x3 | vExpert ** | VMCE | VCP 2020 | Tanzu Vanguard | VUG Canada Leader | VMUG Calgary Leader
Blog: https://explosive.cloud
Twitter: @Tyler_Jurgens BlueSky: @explosive.cloud
-
- Influencer
- Posts: 11
- Liked: 1 time
- Joined: Oct 11, 2011 2:16 pm
- Full Name: Terence Kolstad
- Contact:
-
- Chief Product Officer
- Posts: 31955
- Liked: 7430 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
This exchange happened a while ago, by now we're at the second 12.1 patch already
so the link should be there at this time.

-
- Expert
- Posts: 107
- Liked: 23 times
- Joined: Aug 20, 2009 12:32 pm
- Location: Germany
- Contact:
Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
I'm getting malware detection alerts, but I cannot find any folder C:\ProgramData\Veeam\Backup\Malware_Detection_Logs on the VBR Server.
Where to look at this elsewhere?
Where to look at this elsewhere?
-
- Expert
- Posts: 107
- Liked: 23 times
- Joined: Aug 20, 2009 12:32 pm
- Location: Germany
- Contact:
Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
And if it should be the VM path - where to look on a linux server? 

-
- Expert
- Posts: 107
- Liked: 23 times
- Joined: Aug 20, 2009 12:32 pm
- Location: Germany
- Contact:
Re: Veeam 12.1 Malware Scan Detected Anomalies. Where are the file paths?
ah - ok. I've no active guest file indexing.
Who is online
Users browsing this forum: coolsport00, Google [Bot] and 90 guests