Question

Malware Detected points to the location of the files but the location is empty.


Userlevel 2

Hello All.

About 5-10 years we were hacked and had ransomware.

 

Installed the latest edition of Veeam and with the malware detection enabled.

 

It now found 20 instances. Some are pointing to certain directories and I can recognize the names of the files and they have the .wallet extension (this appears to be from the old hack I had) when I go to the location of the folder and enable show all files and folders I still do not see these files listed.  I therefore deleted the entire folder (it was junk anyways) and today a day later it detected the same malware in the folder that was deleted yesterday.   I’m trying to figure out how this is detecting items in folders i erased. 

 

Anything tips?


10 comments

Userlevel 5
Badge

@PrismUser Have you tried using malwarebytes to clean the malware?

Userlevel 7
Badge +19

Hi @PrismUser -

There were some issues with the initial release of Veeam's Malware Detection engine. They've implemented some updates to it with the most current release of 12.1.2. Did you install that version? It's supposed to help with false positives. 

Userlevel 7
Badge +19

Hi @PrismUser -

Just following up on your post here. Do you still have questions? Also, what scan engine in Veeam are you using? File System Analysis or Inline Entropy? I did a post on Inline Entropy a few mos ago which may answer any further questions you may have. See below:

Let us know if you still need assistance. 

Best. 

Userlevel 2

Thanks and sorry for the delayed response.

 

I installed the latest, but I was still presented with warning on the following backup.

 

I am warned about 2 servers

 

Potential malware activity detected: too many files have had their names changed since last backup, ensure they were not encrypted by ransomware

 

Suspicious files can be found on the backup server BackupAndFax at C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\suspicious_files_24-06-12.log

Potential malware activity detected:
*.wallet(Globe 3): 3

 

we did get compromised about 8 years ago and yes this .wallet was the extension I can’t seem to locate the 3 files they are referring to even with my hidden files visible.

Userlevel 7
Badge +19

Did you perform an A/V and YARA scan on your systems to see what may be legit vs potentially malicious? See my recent post about Malware analysis below:

Then let me know if you still have questions. 

Userlevel 7
Badge +8

Hi, normally, when you get hit, you remain infected “forever”, 
in so many cases there is impossible to clean up all the extensions and traces of the attack.

In the cases that I suffered, the “best way” was to setup a new server, migrate the data analyzing it deeply with AV and antimalware, and even with that, some junk moved to the new one.

check the info @coolsport00 shared with you, follow your backup points, and test them, test, test, test!

a clean restore point is important, but ensuring that is restorable is even better!

cheers.

Userlevel 7
Badge +19

Hi @PrismUser - I’m just following up on your post here. Still needing assistance with your Malware analysis?

Userlevel 7
Badge +19

Hi @PrismUser - have you performed forensics on this particular system you’re getting Malware Events on? Do you still have questions?...need assistance? If all is ok, and 1 of the provided comments helped you out, we ask you mark which one helped you as ‘Best Answer’ so others with a similar question who come across your post may benefit.

Thank you.

Userlevel 7
Badge +19

Hi @PrismUser -

Following up on your post here. It appears you’re using File System Analysis scanning for Malware Detection. And it also appears you’re getting file change log files in the “Malware_Detection_Logs” folder? I shared a comment in the following post about this...the comment I shared was:

~~~~~~~~
“As this Forums posts states, what this file is...and it’s new with the latest release by Veeam...is a new log file of all files which Veeam saw was deleted, raising a Malware event. 

https://forums.veeam.com/veeam-backup-replication-f2/malware-detection-too-many-files-have-had-their-names-changed-t92081.html

“A log for deleted files has also been added with the previous patch”

The new release Release Notes also state this file is new:

https://www.veeam.com/kb4510

“Bulk Rename events will now create detailed logs with the list of affected files in the following location: C:\ProgramData\Veeam\Backup\Malware_Detection_Logs”

Hope that helps!”
~~~~~~~~

The post is:

Let me know if you still need assistance. If not, please make sure to mark one of the above comments as ‘Best answer’ so others with a similar query who come across your post may benefit.

Best!

Userlevel 7
Badge +19

Hi @PrismUser -

Did you ever peruse the suspicious_files_24-06-12.log log file in Veeam to see the directory Veeam located those potential malware files at? Using FSA, logs should show what directory the files were detected at. 

Let us know.

Comment