[Veeam ONE Monitor] Alarm - Possible ransomware activity

Monitoring and reporting for Veeam Backup & Replication, VMware vSphere and Microsoft Hyper-V

[Veeam ONE Monitor] Alarm - Possible ransomware activity

Veeam Logoby albertwt » Wed Jan 04, 2017 5:52 am

Hi All,

Just wanted to know if anyone here found out that [Veeam ONE Monitor] Alarm - Possible ransomware activity is really useful or not ?

I get bombarded with false positives daily from multiple different servers every hour so it is not very useful so far in my environment.

Most of the email alert comes from:
Exchange Mailbox server
Remote Desktop Service Host (Terminal Server)
File Server - running deduplication and Robocopy file transfer after hours.

Here's the threshold that I have set:
Image

I wonder if anyone here have found some other way to reduce the number of false positive ?
--
/* Veeam software enthusiast user & supporter ! */
albertwt
Expert
 
Posts: 607
Liked: 19 times
Joined: Thu Nov 05, 2009 12:24 pm
Location: Sydney, NSW

Re: [Veeam ONE Monitor] Alarm - Possible ransomware activity

Veeam Logoby Mike Resseler » Wed Jan 04, 2017 6:06 am 2 people like this post

Hi Albert,

// EDITED: Didn't noticed at first that you already made changes. I couldn't see the images first. Did you made the changes on all objects? On a specific scope?

When this alarm was created (new in the latest version) it was tested and fine-tuned against many different setups and environments, but obviously, not against every possible environment that exists in the world :-)

The thresholds are:
For VMware VMs
* Average CPU usage is above 70.0% and datastore write rate is 40 MB/s for 5 minutes. - gives a warning
* Average CPU usage is above 80.0% and datastore write rate is 60 MB/s for 5 minutes. - gives an error
For Hyper-V VMs
* Total run time is above 70% and virtual storage write is above 40 MB/s for 5 minutes. - gives a warning
* Total run time is above 80% and virtual storage write is above 60 MB/s for 5 minutes. - gives an error

Best thing you could do is modify the alarm to make it more suitable for your environment so it doesn't give you the false alarms anymore on those specific servers.
More information on modifying the alarms can be found here: https://helpcenter.veeam.com/docs/one/a ... tml?ver=95
Also, don't forget you can work with scopes to fine-tune the alarm only for those objects: https://helpcenter.veeam.com/docs/one/a ... tml?ver=95

Hope it helps

Mike
Mike Resseler
Veeam Software
 
Posts: 3151
Liked: 362 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: [Veeam ONE Monitor] Alarm - Possible ransomware activity

Veeam Logoby Shestakov » Thu Jan 05, 2017 7:32 am 1 person likes this post

Hi Albert,
Mike is spot on. If you have a disturbing number of false positives it`s recommended either to raise the thresholds (as you did) or disable the alarm.
However the fact you have average CPU Usage > 90% for 10 minutes should warn you without any possible ransomware activity :)
Thanks!
Shestakov
Veeam Software
 
Posts: 4856
Liked: 394 times
Joined: Wed May 21, 2014 11:03 am
Location: Saint Petersburg
Full Name: Nikita Shestakov

Re: [Veeam ONE Monitor] Alarm - Possible ransomware activity

Veeam Logoby albertwt » Thu Jan 05, 2017 12:35 pm

I ended up disabling this alarm since I always getting this false positives despite I raised them to Warning: 90% for 15 minutes.

Certain Terminal Server, Exchange Mailbox server and even Network Virtual appliance VM is reported by this alarm.
--
/* Veeam software enthusiast user & supporter ! */
albertwt
Expert
 
Posts: 607
Liked: 19 times
Joined: Thu Nov 05, 2009 12:24 pm
Location: Sydney, NSW

Re: [Veeam ONE Monitor] Alarm - Possible ransomware activity

Veeam Logoby Shestakov » Thu Jan 05, 2017 5:01 pm 1 person likes this post

Thanks for that feedback, Albert.
Apart from ransomware alarm, what about CPU Usage alarm, does it also trigger often because of the high CPU utilization?
Shestakov
Veeam Software
 
Posts: 4856
Liked: 394 times
Joined: Wed May 21, 2014 11:03 am
Location: Saint Petersburg
Full Name: Nikita Shestakov

Re: [Veeam ONE Monitor] Alarm - Possible ransomware activity

Veeam Logoby Vitaliy S. » Fri Jan 06, 2017 9:29 am 1 person likes this post

Albert, instead of disabling this alarm, I would suggest to make exclusions based on the time of the day (when you have an expected high load on the VMs).
Vitaliy S.
Veeam Software
 
Posts: 19558
Liked: 1102 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov


Return to Veeam ONE



Who is online

Users browsing this forum: No registered users and 5 guests