Skip to main content
  • EN
Solved

Malware Detected points to the location of the files but the location is empty.

Hello All.

About 5-10 years we were hacked and had ransomware.

 

Installed the latest edition of Veeam and with the malware detection enabled.

 

It now found 20 instances. Some are pointing to certain directories and I can recognize the names of the files and they have the .wallet extension (this appears to be from the old hack I had) when I go to the location of the folder and enable show all files and folders I still do not see these files listed.  I therefore deleted the entire folder (it was junk anyways) and today a day later it detected the same malware in the folder that was deleted yesterday.   I’m trying to figure out how this is detecting items in folders i erased. 

 

Anything tips?

10 comments

L
Userlevel 5
Badge

@PrismUser Have you tried using malwarebytes to clean the malware?

coolsport00
Userlevel 7
Badge +19

Hi @PrismUser -

There were some issues with the initial release of Veeam's Malware Detection engine. They've implemented some updates to it with the most current release of 12.1.2. Did you install that version? It's supposed to help with false positives. 

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
coolsport00
Userlevel 7
Badge +19

Hi @PrismUser -

Just following up on your post here. Do you still have questions? Also, what scan engine in Veeam are you using? File System Analysis or Inline Entropy? I did a post on Inline Entropy a few mos ago which may answer any further questions you may have. See below:

Let us know if you still need assistance. 

Best. 

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
P
Userlevel 2

Thanks and sorry for the delayed response.

 

I installed the latest, but I was still presented with warning on the following backup.

 

I am warned about 2 servers

 

Potential malware activity detected: too many files have had their names changed since last backup, ensure they were not encrypted by ransomware

 

Suspicious files can be found on the backup server BackupAndFax at C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\suspicious_files_24-06-12.log

Potential malware activity detected:
*.wallet(Globe 3): 3

 

we did get compromised about 8 years ago and yes this .wallet was the extension I can’t seem to locate the 3 files they are referring to even with my hidden files visible.

coolsport00
Userlevel 7
Badge +19

Did you perform an A/V and YARA scan on your systems to see what may be legit vs potentially malicious? See my recent post about Malware analysis below:

Then let me know if you still have questions. 

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
HunterLAFR
Userlevel 7
Badge +8

Hi, normally, when you get hit, you remain infected “forever”, 
in so many cases there is impossible to clean up all the extensions and traces of the attack.

In the cases that I suffered, the “best way” was to setup a new server, migrate the data analyzing it deeply with AV and antimalware, and even with that, some junk moved to the new one.

check the info @coolsport00 shared with you, follow your backup points, and test them, test, test, test!

a clean restore point is important, but ensuring that is restorable is even better!

cheers.

Luis F.- HunterLF - HunterLAFR - lfconsulting.org
coolsport00
Userlevel 7
Badge +19

Hi @PrismUser - I’m just following up on your post here. Still needing assistance with your Malware analysis?

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
coolsport00
Userlevel 7
Badge +19

Hi @PrismUser - have you performed forensics on this particular system you’re getting Malware Events on? Do you still have questions?...need assistance? If all is ok, and 1 of the provided comments helped you out, we ask you mark which one helped you as ‘Best Answer’ so others with a similar question who come across your post may benefit.

Thank you.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
coolsport00
Userlevel 7
Badge +19

Hi @PrismUser -

Following up on your post here. It appears you’re using File System Analysis scanning for Malware Detection. And it also appears you’re getting file change log files in the “Malware_Detection_Logs” folder? I shared a comment in the following post about this...the comment I shared was:

~~~~~~~~
“As this Forums posts states, what this file is...and it’s new with the latest release by Veeam...is a new log file of all files which Veeam saw was deleted, raising a Malware event. 

https://forums.veeam.com/veeam-backup-replication-f2/malware-detection-too-many-files-have-had-their-names-changed-t92081.html

“A log for deleted files has also been added with the previous patch”

The new release Release Notes also state this file is new:

https://www.veeam.com/kb4510

“Bulk Rename events will now create detailed logs with the list of affected files in the following location: C:\ProgramData\Veeam\Backup\Malware_Detection_Logs”

Hope that helps!”
~~~~~~~~

The post is:

Let me know if you still need assistance. If not, please make sure to mark one of the above comments as ‘Best answer’ so others with a similar query who come across your post may benefit.

Best!

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
coolsport00
Userlevel 7
Badge +19

Hi @PrismUser -

Did you ever peruse the suspicious_files_24-06-12.log log file in Veeam to see the directory Veeam located those potential malware files at? Using FSA, logs should show what directory the files were detected at. And, if what is found is determined to be a false positive, you can set exclusions in the FSA engine:
https://helpcenter.veeam.com/docs/backup/vsphere/malware_detection_guest_index_manage_list.html?ver=120

I recently assisted another user who seemed to have the same issue as you:

Let us know.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

Comment


Terms & Conditions