Host-based backup of VMware vSphere VMs.
Post Reply
adam900331
Veteran
Posts: 323
Liked: 23 times
Joined: Dec 01, 2019 7:27 pm
Contact:

Malware Scan reports onion link

Post by adam900331 »

Hy!

Yesterday I upgraded to 12.1.2.172. During the backup I got warning on 2 VMs that found onion link. I scaned the backup with YARA rule, and after some minutes report error with the folllowing:
2024. 07. 16. 12:20:40 Failed [C:] YARA scan has encountered a match

Are there any log to find which file contain onion links on the affected VM?

Thanks.
david.domask
Veeam Software
Posts: 2607
Liked: 610 times
Joined: Jun 28, 2016 12:12 pm
Contact:

Re: Malware Scan reports onion link

Post by david.domask » 1 person likes this post

Hi adam900331,

You should see the results of the YARA scan as below and in this User Guide Page:
https://helpcenter.veeam.com/docs/backu ... og&ver=120

%ProgramData%/Veeam/Backup/FLRSessions/Windows/FLR__[name of the machine scanned]/Antivirus/YARA*.log.

For example, from our lab:
C:\ProgramData\Veeam\Backup\FLRSessions\Windows\FLR__ddom-malware-box_\Antivirus\
>YARA-Volume1.log
>YARA-Volume0.log

And will have some message like:

Code: Select all

[16.07.2024 15:48:48.151]    <23>    Info (3)    Begin scan process: ExecutablePath = [C:\Program Files\Common Files\Veeam\Backup and Replication\Mount Service\yara64.exe] Args = ["C:\Windows\TEMP\tmpEF79.tmp" -r -g -p 8 -N "C:\VeeamFLR\ddom-malware-box_153cafd5\Volume1"].
[16.07.2024 15:52:39.620]   <144>    Info (3)    OnionLinks [] C:\VeeamFLR\ddom-malware-box_153cafd5\Volume1\sadklfjsd;lkf.txt
[16.07.2024 15:52:39.620]   <144> Warning (3)    Threat found. Antivirus output: OnionLinks [] C:\VeeamFLR\ddom-malware-box_153cafd5\Volume1\sadklfjsd;lkf.txt
Is it not present on your system?

Similarly, if you run it as part of the Content Scan and Verification only SureBackup job or a Scan Backup, it should show a button on the bottom of the session window "Scan Log" as shown in the first link.
David Domask | Product Management: Principal Analyst
adam900331
Veteran
Posts: 323
Liked: 23 times
Joined: Dec 01, 2019 7:27 pm
Contact:

Re: Malware Scan reports onion link

Post by adam900331 »

Hy David,

Thanks, I found the logs file.

During the YARA scan found some file in Windows\WinSxS folder. I think its false positive. Furthermore I scan the backup content with our Symantec, and it didn't report virus activity.
david.domask
Veeam Software
Posts: 2607
Liked: 610 times
Joined: Jun 28, 2016 12:12 pm
Contact:

Re: Malware Scan reports onion link

Post by david.domask » 1 person likes this post

Hi adam900331,

Glad you found it; if your research leads you to believe it's a false positive and you're satisfied that the research is complete. I would be surprised also if it was in WinSxS folder, but it's good that you're taking the time to double-check and investigate the results. I would check fresh backups with Scan Backup or other YARA scan options "just in case", to make sure everything looks normal to help confirm the conclusion of false positive.
David Domask | Product Management: Principal Analyst
Post Reply

Who is online

Users browsing this forum: No registered users and 89 guests