- 
				dspringer
- Enthusiast
- Posts: 62
- Liked: 5 times
- Joined: Feb 01, 2022 10:57 am
- Full Name: David Springer
- Contact:
Onion Links since 12.1.2.172
Good Morning
I just updated to the latest version on Friday and was greeted by warnings for 26 servers this morning. Alleged onion links... Just like in the topic: veeam-backup-replication-f2/slightly-ti ... 94145.html
So sorry for picking up on the same problem, but this time it seems to be more pervasive. Have any of you experienced similar issues?
I'm currently working my way through the servers with YARA and see that alleged hits are being found in files of the antivirus product. Or, for example, in the Chrome ‘Rules Data’ set of rules found in [ c:\Users\ *USERNAME* \AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\36\9.49.1 ]
Unfortunately, even after the scan within Veeam, I have no information about the affected file so that I could exclude it. I don't want to know what happens if I increase the Encryption Detection from normal to extreme - as was actually recommended to me. Or does the detection then also work more accurately? I would try to simply add both paths to the Trusted Objects now.
			
			
									
						
										
						I just updated to the latest version on Friday and was greeted by warnings for 26 servers this morning. Alleged onion links... Just like in the topic: veeam-backup-replication-f2/slightly-ti ... 94145.html
So sorry for picking up on the same problem, but this time it seems to be more pervasive. Have any of you experienced similar issues?
I'm currently working my way through the servers with YARA and see that alleged hits are being found in files of the antivirus product. Or, for example, in the Chrome ‘Rules Data’ set of rules found in [ c:\Users\ *USERNAME* \AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\36\9.49.1 ]
Unfortunately, even after the scan within Veeam, I have no information about the affected file so that I could exclude it. I don't want to know what happens if I increase the Encryption Detection from normal to extreme - as was actually recommended to me. Or does the detection then also work more accurately? I would try to simply add both paths to the Trusted Objects now.
- 
				dspringer
- Enthusiast
- Posts: 62
- Liked: 5 times
- Joined: Feb 01, 2022 10:57 am
- Full Name: David Springer
- Contact:
Re: Onion Links since 12.1.2.172
The exclusions are getting a little more difficult.... Here are the hits for one of the servers
... \Volume1\pagefile.sys
... \Volume1\Users\*User1*\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.49.1\Filtering Rules
... \Volume1\Users\*User1*\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\36\9.49.1\Ruleset Data
... \Volume1\Users\*User2*\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\36\9.45.0\Ruleset Data
... \Volume1\Users\*User2*\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.45.0\Filtering Rules
... \Volume1\Program Files (x86)\Trend Micro\Security Agent\libCNTTmPollingModule_64x.dll
... \Volume1\Program Files (x86)\Trend Micro\Security Agent\OfcCCCAUpdate.exe
... \Volume1\Program Files (x86)\Trend Micro\Security Agent\TmListen.exe
... \Volume1\Program Files (x86)\Trend Micro\Security Agent\TmSSClient.exe
... \Volume1\Program Files\Trend Micro\Cloud Endpoint\modules\NetFilterBridgeModule\tm_netinst.exe
... \Volume1\Program Files\Trend Micro\Cloud Endpoint\modules\EndpointResponse\ERAgent.dll
OK, so I'll just take out the paths [ c:\Program Files (x86)\Trend Micro\Security Agent ] and [ c:\Program Files\Trend Micro\Cloud Endpoint ] for the lower ones.
Above I need wildcards again. Because the ‘Filtering Rules’ and ‘Ruleset Data’ have no file extension and can be located in other folders within the user depending on the browser version.
I'm not quite sure what to do with Pagefile.sys at this point. Because excluding is certainly not so nice here
I have seen that this has already been added to the wish list. But I would like to confirm this with the example.
			
			
									
						
										
						... \Volume1\pagefile.sys
... \Volume1\Users\*User1*\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.49.1\Filtering Rules
... \Volume1\Users\*User1*\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\36\9.49.1\Ruleset Data
... \Volume1\Users\*User2*\AppData\Local\Google\Chrome\User Data\Subresource Filter\Indexed Rules\36\9.45.0\Ruleset Data
... \Volume1\Users\*User2*\AppData\Local\Google\Chrome\User Data\Subresource Filter\Unindexed Rules\9.45.0\Filtering Rules
... \Volume1\Program Files (x86)\Trend Micro\Security Agent\libCNTTmPollingModule_64x.dll
... \Volume1\Program Files (x86)\Trend Micro\Security Agent\OfcCCCAUpdate.exe
... \Volume1\Program Files (x86)\Trend Micro\Security Agent\TmListen.exe
... \Volume1\Program Files (x86)\Trend Micro\Security Agent\TmSSClient.exe
... \Volume1\Program Files\Trend Micro\Cloud Endpoint\modules\NetFilterBridgeModule\tm_netinst.exe
... \Volume1\Program Files\Trend Micro\Cloud Endpoint\modules\EndpointResponse\ERAgent.dll
OK, so I'll just take out the paths [ c:\Program Files (x86)\Trend Micro\Security Agent ] and [ c:\Program Files\Trend Micro\Cloud Endpoint ] for the lower ones.
Above I need wildcards again. Because the ‘Filtering Rules’ and ‘Ruleset Data’ have no file extension and can be located in other folders within the user depending on the browser version.
I'm not quite sure what to do with Pagefile.sys at this point. Because excluding is certainly not so nice here
I have seen that this has already been added to the wish list. But I would like to confirm this with the example.
- 
				Dima P.
- Product Manager
- Posts: 14945
- Liked: 1833 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Onion Links since 12.1.2.172
Hello David,
For now you can mark the affected machine / restore points as clean since it seems to be a false positive case. Next job run / inline scan will be aware of current amount of onion links detected and wont raise the alert. Thank you!
			
			
									
						
										
						Yes we've identified the possible issues and team is working of a fix.So sorry for picking up on the same problem, but this time it seems to be more pervasive. Have any of you experienced similar issues?
The sensitivity level does not take any effect on the onion link detection, it is applied only to entropy analysis.I don't want to know what happens if I increase the Encryption Detection from normal to extreme - as was actually recommended to me. Or does the detection then also work more accurately?
Unfortunately also wont help: the include / exclude control is applied to guest file index analysis engine.I would try to simply add both paths to the Trusted Objects now.
For now you can mark the affected machine / restore points as clean since it seems to be a false positive case. Next job run / inline scan will be aware of current amount of onion links detected and wont raise the alert. Thank you!
- 
				A.J.
- Service Provider
- Posts: 7
- Liked: 7 times
- Joined: Jul 26, 2016 6:19 am
- Contact:
Re: Onion Links since 12.1.2.172
Hi,
We have had the same phenomenon since version 12.1.2.172. So you are not alone with this
As soon as the fix exists I would like to have it. At the moment it really creates a bad feeling.
			
			
									
						
										
						We have had the same phenomenon since version 12.1.2.172. So you are not alone with this

As soon as the fix exists I would like to have it. At the moment it really creates a bad feeling.
- 
				Dima P.
- Product Manager
- Posts: 14945
- Liked: 1833 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Onion Links since 12.1.2.172
Hello guys,
The fix is in works and will be distributed via support team as soon as it's signed off by our QA department. Thank you!
			
			
									
						
										
						The fix is in works and will be distributed via support team as soon as it's signed off by our QA department. Thank you!
- 
				Luke_A
- Lurker
- Posts: 1
- Liked: never
- Joined: Jun 18, 2024 12:18 pm
- Contact:
Re: Onion Links since 12.1.2.172
Will the update require a case or will it be available via downloads from the website?  I have been seeing the same issue and checking in for an update.
			
			
									
						
										
						- 
				Gostev
- Chief Product Officer
- Posts: 32761
- Liked: 7970 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Onion Links since 12.1.2.172
It will require a case.
			
			
									
						
										
						- 
				Dima P.
- Product Manager
- Posts: 14945
- Liked: 1833 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Onion Links since 12.1.2.172
Hello guys! The fix is now available. In order to get it please raise a support case, you can refer to this thread if needed. Thank you!
			
			
									
						
										
						- 
				snorma01
- Influencer
- Posts: 12
- Liked: 1 time
- Joined: Nov 20, 2015 7:01 pm
- Full Name: Stephen Normandin
- Contact:
Re: Onion Links since 12.1.2.172
I got the fix patch, which solved the pagefile.sys issue. But what is the recommended solution for the Chrome user folders? I already tried an exclusion for the entire C:\Users\ folder, but that didn't work. Is that because it shows \Volume1\Users\ instead of C:\Users\? So if I put in \Volume1\Users\ for the exclusion will that work? Does the Onion Links search respect the exclusions? Wildcard exclusions would obviously be preferred but I can't even get the whole folder exclusion working.
			
			
									
						
										
						- 
				snorma01
- Influencer
- Posts: 12
- Liked: 1 time
- Joined: Nov 20, 2015 7:01 pm
- Full Name: Stephen Normandin
- Contact:
Re: Onion Links since 12.1.2.172
Actually a YARA scan still shows pagefile.sys even with the patch. Not sure if the patch only prevents flagging and not the YARA result, so that is expected?
			
			
									
						
										
						- 
				Gostev
- Chief Product Officer
- Posts: 32761
- Liked: 7970 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Onion Links since 12.1.2.172
Correct, it's expected because the onion link does actually exist in pagefile.sys, so YARA scan would flag it.
			
			
									
						
										
						Who is online
Users browsing this forum: Amazon [Bot], Semrush [Bot] and 41 guests