Comprehensive data protection for all workloads
Post Reply
dspringer
Enthusiast
Posts: 59
Liked: 5 times
Joined: Feb 01, 2022 10:57 am
Full Name: David Springer
Contact:

Onion Links since 12.1.2.172

Post by dspringer »

Good Morning

I just updated to the latest version on Friday and was greeted by warnings for 26 servers this morning. Alleged onion links... Just like in the topic: veeam-backup-replication-f2/slightly-ti ... 94145.html
So sorry for picking up on the same problem, but this time it seems to be more pervasive. Have any of you experienced similar issues?

I'm currently working my way through the servers with YARA and see that alleged hits are being found in files of the antivirus product. Or, for example, in the Chrome ‘Rules Data’ set of rules found in [ c:\Users\ *USERNAME* \AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\36\9.49.1 ]

Unfortunately, even after the scan within Veeam, I have no information about the affected file so that I could exclude it. I don't want to know what happens if I increase the Encryption Detection from normal to extreme - as was actually recommended to me. Or does the detection then also work more accurately? I would try to simply add both paths to the Trusted Objects now.
dspringer
Enthusiast
Posts: 59
Liked: 5 times
Joined: Feb 01, 2022 10:57 am
Full Name: David Springer
Contact:

Re: Onion Links since 12.1.2.172

Post by dspringer »

The exclusions are getting a little more difficult.... Here are the hits for one of the servers

... \Volume1\pagefile.sys
... \Volume1\Users\*User1*\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.49.1\Filtering Rules
... \Volume1\Users\*User1*\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\36\9.49.1\Ruleset Data
... \Volume1\Users\*User2*\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\36\9.45.0\Ruleset Data
... \Volume1\Users\*User2*\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.45.0\Filtering Rules
... \Volume1\Program Files (x86)\Trend Micro\Security Agent\libCNTTmPollingModule_64x.dll
... \Volume1\Program Files (x86)\Trend Micro\Security Agent\OfcCCCAUpdate.exe
... \Volume1\Program Files (x86)\Trend Micro\Security Agent\TmListen.exe
... \Volume1\Program Files (x86)\Trend Micro\Security Agent\TmSSClient.exe
... \Volume1\Program Files\Trend Micro\Cloud Endpoint\modules\NetFilterBridgeModule\tm_netinst.exe
... \Volume1\Program Files\Trend Micro\Cloud Endpoint\modules\EndpointResponse\ERAgent.dll

OK, so I'll just take out the paths [ c:\Program Files (x86)\Trend Micro\Security Agent ] and [ c:\Program Files\Trend Micro\Cloud Endpoint ] for the lower ones.
Above I need wildcards again. Because the ‘Filtering Rules’ and ‘Ruleset Data’ have no file extension and can be located in other folders within the user depending on the browser version.
I'm not quite sure what to do with Pagefile.sys at this point. Because excluding is certainly not so nice here

I have seen that this has already been added to the wish list. But I would like to confirm this with the example.
Dima P.
Product Manager
Posts: 14785
Liked: 1721 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Onion Links since 12.1.2.172

Post by Dima P. »

Hello David,
So sorry for picking up on the same problem, but this time it seems to be more pervasive. Have any of you experienced similar issues?
Yes we've identified the possible issues and team is working of a fix.
I don't want to know what happens if I increase the Encryption Detection from normal to extreme - as was actually recommended to me. Or does the detection then also work more accurately?
The sensitivity level does not take any effect on the onion link detection, it is applied only to entropy analysis.
I would try to simply add both paths to the Trusted Objects now.
Unfortunately also wont help: the include / exclude control is applied to guest file index analysis engine.

For now you can mark the affected machine / restore points as clean since it seems to be a false positive case. Next job run / inline scan will be aware of current amount of onion links detected and wont raise the alert. Thank you!
A.J.
Service Provider
Posts: 7
Liked: 7 times
Joined: Jul 26, 2016 6:19 am
Contact:

Re: Onion Links since 12.1.2.172

Post by A.J. »

Hi,
We have had the same phenomenon since version 12.1.2.172. So you are not alone with this ;-)
As soon as the fix exists I would like to have it. At the moment it really creates a bad feeling.
Dima P.
Product Manager
Posts: 14785
Liked: 1721 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Onion Links since 12.1.2.172

Post by Dima P. » 2 people like this post

Hello guys,

The fix is in works and will be distributed via support team as soon as it's signed off by our QA department. Thank you!
Luke_A
Lurker
Posts: 1
Liked: never
Joined: Jun 18, 2024 12:18 pm
Contact:

Re: Onion Links since 12.1.2.172

Post by Luke_A »

Will the update require a case or will it be available via downloads from the website? I have been seeing the same issue and checking in for an update.
Gostev
Chief Product Officer
Posts: 31964
Liked: 7437 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Onion Links since 12.1.2.172

Post by Gostev »

It will require a case.
Dima P.
Product Manager
Posts: 14785
Liked: 1721 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Onion Links since 12.1.2.172

Post by Dima P. » 2 people like this post

Hello guys! The fix is now available. In order to get it please raise a support case, you can refer to this thread if needed. Thank you!
snorma01
Influencer
Posts: 12
Liked: 1 time
Joined: Nov 20, 2015 7:01 pm
Full Name: Stephen Normandin
Contact:

Re: Onion Links since 12.1.2.172

Post by snorma01 »

I got the fix patch, which solved the pagefile.sys issue. But what is the recommended solution for the Chrome user folders? I already tried an exclusion for the entire C:\Users\ folder, but that didn't work. Is that because it shows \Volume1\Users\ instead of C:\Users\? So if I put in \Volume1\Users\ for the exclusion will that work? Does the Onion Links search respect the exclusions? Wildcard exclusions would obviously be preferred but I can't even get the whole folder exclusion working.
snorma01
Influencer
Posts: 12
Liked: 1 time
Joined: Nov 20, 2015 7:01 pm
Full Name: Stephen Normandin
Contact:

Re: Onion Links since 12.1.2.172

Post by snorma01 »

Actually a YARA scan still shows pagefile.sys even with the patch. Not sure if the patch only prevents flagging and not the YARA result, so that is expected?
Gostev
Chief Product Officer
Posts: 31964
Liked: 7437 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Onion Links since 12.1.2.172

Post by Gostev »

Correct, it's expected because the onion link does actually exist in pagefile.sys, so YARA scan would flag it.
Post Reply

Who is online

Users browsing this forum: Baidu [Spider], emil.davis, jmaude, Majestic-12 [Bot] and 115 guests