Solved

malware detection consistently flags the same files - 12.1.2


Userlevel 4
  • Not a newbie anymore
  • 25 comments

The malware detection consistently flags the same files with known malware extensions as suspicious. Despite marking the servers clean multiple times, the detections persist. Is this behavior intended or possibly a bug?

icon

Best answer by coolsport00 10 July 2024, 20:00

View original

20 comments

Userlevel 7
Badge +19

Hi @Nikks -

Are you marking your VM as ‘clean’ as shown in my latest “Malware Updates/Fixes” post?
 

If, after performing A/V and YARA scans and other manual forensics, you determine a VM’s restore points, since initial Malware event notification, are clean, then you have to mark things as clean in 2 areas - In the Home node > Backups > Disk section. Rt-click the Job the VM is in and select Properties. Select the VM in the top VM list, then for all Restore Points on the bottom, highlight all you found to be clean and rt-click them and select ‘Mark as clean’. Additionally, you then need to go into the Inventory node, rt-click the VM and mark it as clean (do not exclude the VM if you don’t want it to be excluded from future Malware scans). Performing this process in the Inventory node will prevent Veeam from marking the VM’s Restore Points as Suspicious from future/subsequent  scans for the same event. If Veeam finds a new piece of malware, then you would get notified again.

You also may need a “fix” by Veeam Support to stop false positives (see how to attain in my post above).

If you’ve done all of that and are still getting notified, you need to open a case with Veeam Support and report a possible bug. I also recommend notifying Veeam Product Management in this Forum post , so they can have their developers take a look at logs you provide, etc.

Userlevel 7
Badge +21

Yes I would try marking them clean as noted by Shane then go from there.  I had some but after doing this they don't come back again.

Userlevel 4

Hi @Nikks -

Are you marking your VM as ‘clean’ as shown in my latest “Malware Updates/Fixes” post?
 

If, after performing A/V and YARA scans and other manual forensics, you determine a VM’s restore points, since initial Malware event notification, are clean, then you have to mark things as clean in 2 areas - In the Home node > Backups > Disk section. Rt-click the Job the VM is in and select Properties. Select the VM in the top VM list, then for all Restore Points on the bottom, highlight all you found to be clean and rt-click them and select ‘Mark as clean’. Additionally, you then need to go into the Inventory node, rt-click the VM and mark it as clean (do not exclude the VM if you don’t want it to be excluded from future Malware scans). Performing this process in the Inventory node will prevent Veeam from marking the VM’s Restore Points as Suspicious from future/subsequent  scans for the same event. If Veeam finds a new piece of malware, then you would get notified again.

You also may need a “fix” by Veeam Support to stop false positives (see how to attain in my post above).

If you’ve done all of that and are still getting notified, you need to open a case with Veeam Support and report a possible bug. I also recommend notifying Veeam Product Management in this Forum post , so they can have their developers take a look at logs you provide, etc.

It is appearing after marking it as clean 

Userlevel 7
Badge +19

Then I recommend as I previously suggested & open a case with Support to log a potential bug.

Please keep us posted. 

Userlevel 7
Badge +19

@Nikks - you are on the latest VBR release (v12.1.2.###), correct?

And which Scan engine do you have enabled?...Inline Entropy, File System Analysis or both?

Userlevel 4

Hi @Nikks -

Are you marking your VM as ‘clean’ as shown in my latest “Malware Updates/Fixes” post?
 

If, after performing A/V and YARA scans and other manual forensics, you determine a VM’s restore points, since initial Malware event notification, are clean, then you have to mark things as clean in 2 areas - In the Home node > Backups > Disk section. Rt-click the Job the VM is in and select Properties. Select the VM in the top VM list, then for all Restore Points on the bottom, highlight all you found to be clean and rt-click them and select ‘Mark as clean’. Additionally, you then need to go into the Inventory node, rt-click the VM and mark it as clean (do not exclude the VM if you don’t want it to be excluded from future Malware scans). Performing this process in the Inventory node will prevent Veeam from marking the VM’s Restore Points as Suspicious from future/subsequent  scans for the same event. If Veeam finds a new piece of malware, then you would get notified again.

You also may need a “fix” by Veeam Support to stop false positives (see how to attain in my post above).

If you’ve done all of that and are still getting notified, you need to open a case with Veeam Support and report a possible bug. I also recommend notifying Veeam Product Management in this Forum post , so they can have their developers take a look at logs you provide, etc.

It is appearing after marking it as clean from Inventory 

So, just to clarify, you want me to leave unchecked the option "Mark restore points affected by corresponding detection events as clean"?

Userlevel 7
Badge +19

Hi @Nikks -

No...you have to check that box if, after performing scans and forensics on your VM, you’ve determined the VM’s Restore Points are clean. After you check that box, all future backups and scans will not mark Restore Points as suspicious, UNLESS a new malware event/suspicion is detected.

Any previous Restore Point still marked as Suspicious and you are confident are clean, you’ll then need to go into the Home node > Backups > Disk section, rt-click the Job > Properties, then select the VM at the top and highlight any previous/historical Restore Points you feel are ‘clean’. Select any one or all, rt-click, then choose ‘Mark as Clean’.

Let me know if you continue to have questions.

Userlevel 7
Badge +19

In my environment, I had the same issue you did. But once I 1. updated Veeam to latest version, and 2. applied the Veeam ‘fix’ for Inline Entropy scans (based on my post I shared above), I then received no more Suscipions on my future Restore Points after I select the box from your screenshot. On this particular VM, I did leave some historical Restore Points (not all) as infected/Suspicious because they did indeed contain a virus file. I just let my Veeam Backup Job’s Retention clear out those Restore Points, which it since has.

Userlevel 4

Hi @Nikks -

No...you have to check that box if, after performing scans and forensics on your VM, you’ve determined the VM’s Restore Points are clean. After you check that box, all future backups and scans will not mark Restore Points as suspicious, UNLESS a new malware event/suspicion is detected.

Any previous Restore Point still marked as Suspicious and you are confident are clean, you’ll then need to go into the Home node > Backups > Disk section, rt-click the Job > Properties, then select the VM at the top and highlight any previous/historical Restore Points you feel are ‘clean’. Select any one or all, rt-click, then choose ‘Mark as Clean’.

Let me know if you continue to have questions.

I configured as above settings on the 2 sections inventory and Disk section, still alerts appearing. Where will i get the patch for stopping this malware false alerts , the fix you mentioned for onion link applies for the malware detection  as well ?

 

Userlevel 7
Badge +19

Hi @Nikks -

Ok, so with the message/warning/event you shared there...it appears you’re using Veeam’s File System Analysis (FSA) engine, and not the Inline Entropy? The fix I talked about above & in my post is for the Inline Entropy scan engine, not File System Analysis.

Also, can you confirm the Veeam version you’re on? While in the Console, if you look at the bottom edge of the Console window, you should see the version you’re on, like shown below:

Veeam version

Veeam did provide updates to the FSA engine in their latest release v12.1.2.172. So if you’re not upgraded to that version yet, I recommend doing so.

Let me know...

Userlevel 7
Badge +19

If possible, take a pic/screenshot of your configured Malware setting to show me which ‘engine’ you have enabled...FSA and/or Inline Entropy. Go to the Console menu in the upper left corner > Malware Detection, and take a screenshot of the General tab please. 

Thank you.

Userlevel 4

Hi @Nikks -

Ok, so with the message/warning/event you shared there...it appears you’re using Veeam’s File System Analysis (FSA) engine, and not the Inline Entropy? The fix I talked about above & in my post is for the Inline Entropy scan engine, not File System Analysis.

Also, can you confirm the Veeam version you’re on? While in the Console, if you look at the bottom edge of the Console window, you should see the version you’re on, like shown below:

Veeam version

Veeam did provide updates to the FSA engine in their latest release v12.1.2.172. So if you’re not upgraded to that version yet, I recommend doing so.

Let me know...

12.1.2.172 - Enterprise Plus

Userlevel 7
Badge +19

Ok great...you’re on the latest release. Which scan engine are you using?...FSA or Inline Entropy?

Userlevel 4

Ok great...you’re on the latest release. Which scan engine are you using?...FSA or Inline Entropy?

 

Userlevel 7
Badge +19

Ok, thanks @Nikks . So, the fix I spoke about in my article is for Inline Entropy scans. The only other Malware update Veeam had come out with the past month besides what I shared was part of the latest  VBR release which came out the end of May (v12.1.2). So, you should be all good as far as Malware fixes/updates go.

You have 1 of a few options from here → 1. perform A/V and YARA scans on your VM(s) causing the issue and remove those malware files causing the event/suspicion. Then hopefully you won’t receive anymore suspicious marks on your restore points for future/subsequent backups and scans; or, 2. exclude the VM(s) in question completely from being scanned. To do this, you not only select the 1st option in the screenshot you posted earlier about having ‘clean restore points’, but you would also select the 2nd option to exclude the entire VM from future scans. My guess is you probably don’t want to go that route in case you do get hit with malware, you’d want Veeam to detect it; or 3. contact Veeam Support to see what further can be done, or share other options I might not know about or have missed.

Best.

Userlevel 4

Ok, thanks @Nikks . So, the fix I spoke about in my article is for Inline Entropy scans. The only other Malware update Veeam had come out with the past month besides what I shared was part of the latest  VBR release which came out the end of May (v12.1.2). So, you should be all good as far as Malware fixes/updates go.

You have 1 of a few options from here → 1. perform A/V and YARA scans on your VM(s) causing the issue and remove those malware files causing the event/suspicion. Then hopefully you won’t receive anymore suspicious marks on your restore points for future/subsequent backups and scans; or, 2. exclude the VM(s) in question completely from being scanned. To do this, you not only select the 1st option in the screenshot you posted earlier about having ‘clean restore points’, but you would also select the 2nd option to exclude the entire VM from future scans. My guess is you probably don’t want to go that route in case you do get hit with malware, you’d want Veeam to detect it; or 3. contact Veeam Support to see what further can be done, or share other options I might not know about or have missed.

Best.

Thank you. Part 1 → All of those files have been scanned by our third-party software and confirmed to be clean, so we cannot remove them. Part 2 → Enabling Malware detection would then be pointless.

Userlevel 7
Badge +19

@Nikks - for Part 1. Great. Good to hear. So, have you added those files as exclusions?...since you’re using FSA, you can add exclusions. Now, I don’t use FSA in my environment so not sure how well exclusions work with FSA. But, I think Veeam made changes recently with its latest update and believe exclusions now do what customers want more than they did with initial release. And, according to the User Guide, it looks like you can add folders/directories, as well as individual files to exclude:

https://helpcenter.veeam.com/docs/backup/vsphere/malware_detection_guest_index_manage_list.html?ver=120

This may be exactly what you’re needing.

As for Part 2. I agree. Thus why I was waiting for updates for the scan engine I use (Inline Entropy).

Add exclusions to FSA then let me know how things go.

Userlevel 7
Badge +19

Hi @Nikks -

Just checking in to see if you implemented the needed FSA exclusions and how your backup Restore Points are now fairing.

Userlevel 4

Hi @Nikks -

Just checking in to see if you implemented the needed FSA exclusions and how your backup Restore Points are now fairing.

It Worked . Thanks 

Userlevel 7
Badge +19

Glad to hear! 

Hi @Madi.Cristil  @safiya  can we undo the Best Answer that was marked here so the exclusion suggestion comment I gave above, which was what worked, could be selected? That way others who have a similar issue and come across this thread/post will benefit. 

Thanks! 

Comment