+8
I love this feature but with the thousands of file types I have I get a ton of false positives.
Is there anyway to customize this “per server” with each file type? or disable for some servers/folders etc?
When I mark a job as clean, it seems to find the files on the next job. I thought that it should assume those files to be ok going forward.
+20
We have just has a Veeam Malware Detection on a Cisco FMC VMWare VM backup. It’s a Ransomware Note detection. I am thinking the Cisco FMC could legitimately have this in a signature file for AMP, and so it’s a false positive - does anyone agree, please?
It would be hard to agree or disagree as you will need to investigate the logs to see what was detected and then if a false positive mark it as clean.
+17
We have just has a Veeam Malware Detection on a Cisco FMC VMWare VM backup. It’s a Ransomware Note detection. I am thinking the Cisco FMC could legitimately have this in a signature file for AMP, and so it’s a false positive - does anyone agree, please?
That being said, Veeam is working on feature updates for their Malware engine which should help. No timeframe when the update will come though.
We have just has a Veeam Malware Detection on a Cisco FMC VMWare VM backup. It’s a Ransomware Note detection. I am thinking the Cisco FMC could legitimately have this in a signature file for AMP, and so it’s a false positive - does anyone agree, please?
+8
That would be perfect. It’s such a new feature I think this will only grow as versions increase. The fact it did trigger some real alerts of encrypted files from something that happened years ago allowed me to clean it all up, and makes me not want to exclude everything.
+9
Rick - what do you think of the ability to be able to add folders exclusions, as a future feature enhancement? It appears it would have value. Thoughts?
I would be all for this definitely. It would in a similar fashion to AV exclusions where you can do file, folder, etc.
From my point of view, folder exclusions can be dangerous as you no longer have control and they would never be checked again by the inline scan.
You would need a rule of overwriting scan alarms already detected and accepted by the operator previously and only alerting you if new files are detected etc.
Well in my case if it’s omit specific folders, or don’t use the feature at all, I know what option I’ll chose.
That being said, I understand that if someone omits a root folder it’s not going to be monitored, but if you are going to that extreme you might as well just disable malware scans on that server.
I like the idea of choosing to ignore file types on specific folders/servers. Perhaps I save files to a single location that trigger it every week. That would solve the issue, but not effect monitoring somewhere I want to be alerted on that file type.
I think the idea of accepting currently flagged false positives is the easiest sell though. Users could even have to accept the risk. The list of locations from the malware log file could show up on screen and force them to click confirm to put the responsibility on the Veeam Admin.
It’s would have to be a combination of both to be preventative and reactive to many years of files that I don’t want to go ignore every single folder.
In addition to the option I proposed, one could also implement the feature of granular exclusion of 'file extensions or trusted extensions on the individual server. 😎
+8
Rick - what do you think of the ability to be able to add folders exclusions, as a future feature enhancement? It appears it would have value. Thoughts?
I would be all for this definitely. It would in a similar fashion to AV exclusions where you can do file, folder, etc.
From my point of view, folder exclusions can be dangerous as you no longer have control and they would never be checked again by the inline scan.
You would need a rule of overwriting scan alarms already detected and accepted by the operator previously and only alerting you if new files are detected etc.
Well in my case if it’s omit specific folders, or don’t use the feature at all, I know what option I’ll chose.
That being said, I understand that if someone omits a root folder it’s not going to be monitored, but if you are going to that extreme you might as well just disable malware scans on that server.
I like the idea of choosing to ignore file types on specific folders/servers. Perhaps I save files to a single location that trigger it every week. That would solve the issue, but not effect monitoring somewhere I want to be alerted on that file type.
I think the idea of accepting currently flagged false positives is the easiest sell though. Users could even have to accept the risk. The list of locations from the malware log file could show up on screen and force them to click confirm to put the responsibility on the Veeam Admin.
It’s would have to be a combination of both to be preventative and reactive to many years of files that I don’t want to go ignore every single folder.
+17
Yeah...he’s being a tease! 😁
+20
Rick - what do you think of the ability to be able to add folders exclusions, as a future feature enhancement? It appears it would have value. Thoughts?
Just you wait on feature requests :) I have something brewing.
Ooh can we get a hint. 🤣
+17
"Just you wait on feature requests :) I have something brewing." Ohhhh! 😎
+10
Rick - what do you think of the ability to be able to add folders exclusions, as a future feature enhancement? It appears it would have value. Thoughts?
Just you wait on feature requests :) I have something brewing.
+20
Rick - what do you think of the ability to be able to add folders exclusions, as a future feature enhancement? It appears it would have value. Thoughts?
I would be all for this definitely. It would in a similar fashion to AV exclusions where you can do file, folder, etc.
From my point of view, folder exclusions can be dangerous as you no longer have control and they would never be checked again by the inline scan.
You would need a rule of overwriting scan alarms already detected and accepted by the operator previously and only alerting you if new files are detected etc.
Absolutely agree with this depending on the user and use case. For those that are tech savvy however I don’t see this being an issue especially if the folder you are excluding is say ISO files for installs or something that does not change often. Overall, it would be better not to have this for security but then there is the case to be made for it. I guess we will see what happens in the future as this progresses. 😁
+9
Rick - what do you think of the ability to be able to add folders exclusions, as a future feature enhancement? It appears it would have value. Thoughts?
I would be all for this definitely. It would in a similar fashion to AV exclusions where you can do file, folder, etc.
From my point of view, folder exclusions can be dangerous as you no longer have control and they would never be checked again by the inline scan.
You would need a rule of overwriting scan alarms already detected and accepted by the operator previously and only alerting you if new files are detected etc.
+8
I believe the logic now is per-server exclusion OR per-file type exclusion.
It doesn’t have the ability to exclude a set of file types on a selection of servers.
I like the recommendation above by
Thanks for confirming.
I’ll play around a bit more but I think the reality is I have too many files and file types that will trigger it constantly. Masking out all my servers or almost every file type isn’t helpful. I’ll start by just masking out everything flagged. At least new malicious file types will still trigger alert.
I’ll create a feature request in R+D to have more granular control on the masking.
I ‘ll also ask for the ability to not alert on “accepted files”. It would be nice to just say everything in that log file is safe, and skip them on following scans. (I’d assume that wouldn’t be hard to implement either)
+20
Rick - what do you think of the ability to be able to add folders exclusions, as a future feature enhancement? It appears it would have value. Thoughts?
I would be all for this definitely. It would in a similar fashion to AV exclusions where you can do file, folder, etc.
+8
I assume those ‘old files’ are no longer causing issue?
Hopefully you have a plan moving forward Scott. This has been a good thread since that feature is so new. Have been learning quite a bit through everyone’s comments :)
No. they are still showing as malware
+17
Rick - what do you think of the ability to be able to add folders exclusions, as a future feature enhancement? It appears it would have value. Thoughts?
+10
I believe the logic now is per-server exclusion OR per-file type exclusion.
It doesn’t have the ability to exclude a set of file types on a selection of servers.
I like the recommendation above by
+20
Clicking exclude workload will just omit all my file servers which is really what I want to do.
Interesting enough the files are all back though showing the false positives from last nights backups.
I’ll look into this a bit more and see what I can do with the rules. It’s not the end of the world. I did find a bunch of encrypted files from years back when there was an incident so the feature works.
I suppose I can just look at the logs everyday to see if there is a change in file size, or create a script to extract the current days vs the previous days and show the differences. I could email that to myself to not have to do it manually.
Not sure if you use VONE but there are some nice reports and alerts there too for the Malware piece.
+17
I assume those ‘old files’ are no longer causing issue?
Hopefully you have a plan moving forward Scott. This has been a good thread since that feature is so new. Have been learning quite a bit through everyone’s comments :)
+8
Clicking exclude workload will just omit all my file servers which is really what I want to do.
Interesting enough the files are all back though showing the false positives from last nights backups.
I’ll look into this a bit more and see what I can do with the rules. It’s not the end of the world. I did find a bunch of encrypted files from years back when there was an incident so the feature works.
I suppose I can just look at the logs everyday to see if there is a change in file size, or create a script to extract the current days vs the previous days and show the differences. I could email that to myself to not have to do it manually.
+20
check this
How Malware Detection Works - User Guide for VMware vSphere (veeam.com)
Managing Malware Status - User Guide for VMware vSphere (veeam.com)
You can open a ticket to support for clarification
Using that checkbox is the same as adding it to the global exclusion list. 😉
+20
I know you can exclude file types and have already added a few. Excluding all the file types in my false positives would be about as useful as totally disabling the feature. Because it is different types on different servers a bit more customization would be the only way.
I am in a bit of a unique circumstance as I have thousands if not tens of thousands of different file types and many are from video players and viewers. Many of them just create their own file type extensions to work in their software and get flagged.
I did find this
I was hoping that this would perhaps keep track of the files so they wouldn’t get re flagged on the next run but it didn’t seem to do that. It marked the backup as clean, but then on the next scan it seemed to flag them again. I’ll keep playing around with it.
I think this marks that run clean and restore points on disk but does not mean it will not detect it again. At least that is what I have seen in testing.
+17
Because this is so new, I’m sure there’s going to be trial and error per organization/environment. But, wording in the Guide is pretty important to help us get our environment where we want it without minimizing/decreasing the value of the malware scans.
+9
check this
How Malware Detection Works - User Guide for VMware vSphere (veeam.com)
Managing Malware Status - User Guide for VMware vSphere (veeam.com)
You can open a ticket to support for clarification
+8
To me, that seems like a bug then Scott...doesn’t it to you? I interpret that as no more marks as infected for future scans. Maybe reach out to support, or better yet, inquire to PMs on the Forums on the behavior?
That’s possible, but I could be interpreting it wrong too.
I just checked the box and will see what happens on the next run. I have hundreds of millions of files so I don’t expect this to be perfect, but If I can get it close, checking that malware detection log isn’t too bad.
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
