Hi guys,
hope you´re well.
We have the following behaviour in our production environment.
The following path has been added in the trusted objects within the configured file mask part of the malware detection.
C:\VeeamFLR\v-epa-db1_f02a103a\Volume4\Oracle\fast_recovery_area\PEG1\FLASHBACK
Now it happens frequently that only the ID afte the VM name changed, therefore the the detection triggers an anlarm.
For this example from C:\VeeamFLR\v-epa-db1_f02a103a\Volume4\Oracle\fast_recovery_area\PEG1\FLASHBACK to C:\VeeamFLR\v-epa-db1_9141dd11\Volume4\Oracle\fast_recovery_area\PEG1\FLASHBACK
For us it is not clear why the ID is chaning from time to time.
Maybe you can help us out?
withe kind regards
Oliver
-
OMW72
- Enthusiast
- Posts: 45
- Liked: 4 times
- Joined: Nov 16, 2022 2:18 pm
- Contact:
-
rcocate
- Novice
- Posts: 4
- Liked: never
- Joined: Jul 26, 2024 2:11 pm
- Full Name: Rodrigo Cocate
- Contact:
Re: Maleware Detection Settings
Hi Oliver,
This ID change behavior seems to be related to the Veeam Analyzer service restarting daily and simultaneously starting the backup scan task on the mount server. Therefore, each session needs to be unique to facilitate information tracking.
In this case, the exception you applied could be considered the server's original path, or something like " *FLASHBACK " or part of the path "/PEG1/FLASHBACK" (if it's a Windows server, simply invert the \ ).
Another option would be to create a custom .xml file with the exceptions. You can see how to create it at the URL below, as well as understand how the other exception options can be configured.
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
Best regards,
Rodrigo
This ID change behavior seems to be related to the Veeam Analyzer service restarting daily and simultaneously starting the backup scan task on the mount server. Therefore, each session needs to be unique to facilitate information tracking.
In this case, the exception you applied could be considered the server's original path, or something like " *FLASHBACK " or part of the path "/PEG1/FLASHBACK" (if it's a Windows server, simply invert the \ ).
Another option would be to create a custom .xml file with the exceptions. You can see how to create it at the URL below, as well as understand how the other exception options can be configured.
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
Best regards,
Rodrigo
-
OMW72
- Enthusiast
- Posts: 45
- Liked: 4 times
- Joined: Nov 16, 2022 2:18 pm
- Contact:
Re: Maleware Detection Settings
Hi Rodrigo,
Thanks for you quick response in this matter.
Just for clarification as far as this scenarion happens "Veeam Analyzer service restarting daily and simultaneously starting the backup scan" the ID 9141dd11 is changing into another one and we are gettin a Maleware alarm, correct?
We have only trusted objects for windows systems, that means we have the opportunity to invert the \ . For me it is not clear what I have to do.
Maybe you can send me based on that path: C:\VeeamFLR\v-epa-db1_f02a103a\Volume4\Oracle\fast_recovery_area\PEG1\FLASHBACK\ the adjustment that I have to do .
Thanks in Advance.
Oliver
Thanks for you quick response in this matter.
Just for clarification as far as this scenarion happens "Veeam Analyzer service restarting daily and simultaneously starting the backup scan" the ID 9141dd11 is changing into another one and we are gettin a Maleware alarm, correct?
We have only trusted objects for windows systems, that means we have the opportunity to invert the \ . For me it is not clear what I have to do.
Maybe you can send me based on that path: C:\VeeamFLR\v-epa-db1_f02a103a\Volume4\Oracle\fast_recovery_area\PEG1\FLASHBACK\ the adjustment that I have to do .
Thanks in Advance.
Oliver
-
OMW72
- Enthusiast
- Posts: 45
- Liked: 4 times
- Joined: Nov 16, 2022 2:18 pm
- Contact:
Re: Maleware Detection Settings
Hi Rodrigo,
Any news on this.
Regards,
Oliver
Any news on this.
Regards,
Oliver
-
sherzig
- Veeam Software
- Posts: 225
- Liked: 54 times
- Joined: Dec 05, 2018 2:44 pm
- Contact:
Re: Maleware Detection Settings
Hi @OMW72
The ID in the C:\VeeamFLR<hostname><ID> folder is automatically generated by Veeam for each file-level restore session (also used by the scan process) to identify and separate different restore operations uniquely.
According to Veeam KB1999 https://www.veeam.com/kb1999, the C:\VeeamFLR path is generally recommended for exclusion from antivirus scans. However, please note that, in some cases, excluding this folder can prevent on-demand malware scans from functioning correctly, since some antivirus solutions will not scan excluded folders even when requested. Review your antivirus settings and the article’s notes to ensure compatibility with your security requirements.
Cheers,
Steve
The ID in the C:\VeeamFLR<hostname><ID> folder is automatically generated by Veeam for each file-level restore session (also used by the scan process) to identify and separate different restore operations uniquely.
According to Veeam KB1999 https://www.veeam.com/kb1999, the C:\VeeamFLR path is generally recommended for exclusion from antivirus scans. However, please note that, in some cases, excluding this folder can prevent on-demand malware scans from functioning correctly, since some antivirus solutions will not scan excluded folders even when requested. Review your antivirus settings and the article’s notes to ensure compatibility with your security requirements.
Cheers,
Steve
-
OMW72
- Enthusiast
- Posts: 45
- Liked: 4 times
- Joined: Nov 16, 2022 2:18 pm
- Contact:
Re: Maleware Detection Settings
Hi Steve,
thanks for your explanation in this matter.
To be honest im little bit confused, because in this case we are adding the path in the trusted objects section in the section suspicious file we have only extension *.onion.
In my opinion the function should be hat the mailware detection only trigges an alarm if an extension *.onion has been recognized during the scan of a VM , correct?
I addition we added a lot of pathes into the section trusted objects. That means that this pathes are exlcluded from the scan, correct?
Finally we should only get an Malware dection if the scan finds the *.oninion.
In addition we activated the option "inline entropy analysis" the sensitivity is set to normal. Is this option responsible for the Malware dection alart --> Status suspicion --> Type encrypted data ?
The filter trusted objects that we can use in the part file detection is not active for the "inline entropy analysis" option, isn´t it ?
regards,
Oliver
thanks for your explanation in this matter.
To be honest im little bit confused, because in this case we are adding the path in the trusted objects section in the section suspicious file we have only extension *.onion.
In my opinion the function should be hat the mailware detection only trigges an alarm if an extension *.onion has been recognized during the scan of a VM , correct?
I addition we added a lot of pathes into the section trusted objects. That means that this pathes are exlcluded from the scan, correct?
Finally we should only get an Malware dection if the scan finds the *.oninion.
In addition we activated the option "inline entropy analysis" the sensitivity is set to normal. Is this option responsible for the Malware dection alart --> Status suspicion --> Type encrypted data ?
The filter trusted objects that we can use in the part file detection is not active for the "inline entropy analysis" option, isn´t it ?
regards,
Oliver
-
sherzig
- Veeam Software
- Posts: 225
- Liked: 54 times
- Joined: Dec 05, 2018 2:44 pm
- Contact:
Re: Maleware Detection Settings
Hi Olivier
I think things are getting mixed up here. As discussed, the Scan Backup mounts the restore points in the C:\VeeamFLR directory.
https://helpcenter.veeam.com/docs/backu ... ackup.html
The exclusions you mentioned are not applied at all using the Scan Backup function. These come into play during the Guest Indexing Data Scan.https://helpcenter.veeam.com/docs/backu ... files.html
At the beginning, you asked why the ID in C:\VeeamFLR changes. My question is, what functionality are you now talking and what detection/product triggers an alarm?
Cheers,
Steve
I think things are getting mixed up here. As discussed, the Scan Backup mounts the restore points in the C:\VeeamFLR directory.
https://helpcenter.veeam.com/docs/backu ... ackup.html
The exclusions you mentioned are not applied at all using the Scan Backup function. These come into play during the Guest Indexing Data Scan.https://helpcenter.veeam.com/docs/backu ... files.html
At the beginning, you asked why the ID in C:\VeeamFLR changes. My question is, what functionality are you now talking and what detection/product triggers an alarm?
Cheers,
Steve
-
OMW72
- Enthusiast
- Posts: 45
- Liked: 4 times
- Joined: Nov 16, 2022 2:18 pm
- Contact:
Re: Maleware Detection Settings
Hi Steve,
yes i am agree things get mixed up here.
The alarm ist listed under maleware events:
Name : v-epa-db1
Event created . 31.10.2025
Status: Suspicions
Activity date: 31.10.2025.21:01
Details: potential malware activity detected
We excuted the KB4643 to get more informations.
We are using the following functionality within the Malware Detection settings::
Encryption detection
File detection
What of them is triggers the potential malware activity detected alarm?
regards
Oliver
yes i am agree things get mixed up here.
The alarm ist listed under maleware events:
Name : v-epa-db1
Event created . 31.10.2025
Status: Suspicions
Activity date: 31.10.2025.21:01
Details: potential malware activity detected
We excuted the KB4643 to get more informations.
We are using the following functionality within the Malware Detection settings::
Encryption detection
File detection
What of them is triggers the potential malware activity detected alarm?
regards
Oliver
-
sherzig
- Veeam Software
- Posts: 225
- Liked: 54 times
- Joined: Dec 05, 2018 2:44 pm
- Contact:
Re: Maleware Detection Settings
Hi Olivier,
The KB article mentioned does not make sense in this context. Please check this table to see what triggers your events: https://helpcenter.veeam.com/docs/backu ... thods.html.
Encryption detection is handled by the inline scan, which happens during backup:https://helpcenter.veeam.com/docs/backu ... ml?ver=120
If it is still unclear, please contact your local Veeam SE or partner to analyze the issues in more detail.
Steve
The KB article mentioned does not make sense in this context. Please check this table to see what triggers your events: https://helpcenter.veeam.com/docs/backu ... thods.html.
Encryption detection is handled by the inline scan, which happens during backup:https://helpcenter.veeam.com/docs/backu ... ml?ver=120
If it is still unclear, please contact your local Veeam SE or partner to analyze the issues in more detail.
Steve
Who is online
Users browsing this forum: Bing [Bot], Semrush [Bot] and 25 guests