Malware Scan reports onion link

[adam900331]

Hy!

Yesterday I upgraded to 12.1.2.172. During the backup I got warning on 2 VMs that found onion link. I scaned the backup with YARA rule, and after some minutes report error with the folllowing:
2024. 07. 16. 12:20:40 Failed [C:] YARA scan has encountered a match

Are there any log to find which file contain onion links on the affected VM?

Thanks.

[david.domask]

Hi adam900331,

You should see the results of the YARA scan as below and in this User Guide Page:
https://helpcenter.veeam.com/docs/backu ... og&ver=120

%ProgramData%/Veeam/Backup/FLRSessions/Windows/FLR__[name of the machine scanned]/Antivirus/YARA*.log.

For example, from our lab:
C:\ProgramData\Veeam\Backup\FLRSessions\Windows\FLR__ddom-malware-box_\Antivirus\
>YARA-Volume1.log
>YARA-Volume0.log

And will have some message like:

Code: Select all

[16.07.2024 15:48:48.151]    <23>    Info (3)    Begin scan process: ExecutablePath = [C:\Program Files\Common Files\Veeam\Backup and Replication\Mount Service\yara64.exe] Args = ["C:\Windows\TEMP\tmpEF79.tmp" -r -g -p 8 -N "C:\VeeamFLR\ddom-malware-box_153cafd5\Volume1"].
[16.07.2024 15:52:39.620]   <144>    Info (3)    OnionLinks [] C:\VeeamFLR\ddom-malware-box_153cafd5\Volume1\sadklfjsd;lkf.txt
[16.07.2024 15:52:39.620]   <144> Warning (3)    Threat found. Antivirus output: OnionLinks [] C:\VeeamFLR\ddom-malware-box_153cafd5\Volume1\sadklfjsd;lkf.txt

Is it not present on your system?

Similarly, if you run it as part of the Content Scan and Verification only SureBackup job or a Scan Backup, it should show a button on the bottom of the session window "Scan Log" as shown in the first link.

[adam900331]

Hy David,

Thanks, I found the logs file.

During the YARA scan found some file in Windows\WinSxS folder. I think its false positive. Furthermore I scan the backup content with our Symantec, and it didn't report virus activity.

[david.domask]

Hi adam900331,

Glad you found it; if your research leads you to believe it's a false positive and you're satisfied that the research is complete. I would be surprised also if it was in WinSxS folder, but it's good that you're taking the time to double-check and investigate the results. I would check fresh backups with Scan Backup or other YARA scan options "just in case", to make sure everything looks normal to help confirm the conclusion of false positive.