The malware detection consistently flags the same files with known malware extensions as suspicious. Despite marking the servers clean multiple times, the detections persist. Is this behavior intended or possibly a bug?
malware detection consistently flags the same files - 12.1.2
Userlevel 7
+19
Hi
Are you marking your VM as ‘clean’ as shown in my latest “Malware Updates/Fixes” post?
If, after performing A/V and YARA scans and other manual forensics, you determine a VM’s restore points, since initial Malware event notification, are clean, then you have to mark things as clean in 2 areas - In the Home node > Backups > Disk section. Rt-click the Job the VM is in and select Properties. Select the VM in the top VM list, then for all Restore Points on the bottom, highlight all you found to be clean and rt-click them and select ‘Mark as clean’. Additionally, you then need to go into the Inventory node, rt-click the VM and mark it as clean (do not exclude the VM if you don’t want it to be excluded from future Malware scans). Performing this process in the Inventory node will prevent Veeam from marking the VM’s Restore Points as Suspicious from future/subsequent scans for the same event. If Veeam finds a new piece of malware, then you would get notified again.
You also may need a “fix” by Veeam Support to stop false positives (see how to attain in my post above).
If you’ve done all of that and are still getting notified, you need to open a case with Veeam Support and report a possible bug. I also recommend notifying Veeam Product Management in this Forum post , so they can have their developers take a look at logs you provide, etc.
Userlevel 7
+21
Yes I would try marking them clean as noted by Shane then go from there. I had some but after doing this they don't come back again.
Hi
Are you marking your VM as ‘clean’ as shown in my latest “Malware Updates/Fixes” post?
If, after performing A/V and YARA scans and other manual forensics, you determine a VM’s restore points, since initial Malware event notification, are clean, then you have to mark things as clean in 2 areas - In the Home node > Backups > Disk section. Rt-click the Job the VM is in and select Properties. Select the VM in the top VM list, then for all Restore Points on the bottom, highlight all you found to be clean and rt-click them and select ‘Mark as clean’. Additionally, you then need to go into the Inventory node, rt-click the VM and mark it as clean (do not exclude the VM if you don’t want it to be excluded from future Malware scans). Performing this process in the Inventory node will prevent Veeam from marking the VM’s Restore Points as Suspicious from future/subsequent scans for the same event. If Veeam finds a new piece of malware, then you would get notified again.
You also may need a “fix” by Veeam Support to stop false positives (see how to attain in my post above).
If you’ve done all of that and are still getting notified, you need to open a case with Veeam Support and report a possible bug. I also recommend notifying Veeam Product Management in this Forum post , so they can have their developers take a look at logs you provide, etc.
It is appearing after marking it as clean
Userlevel 7
+19
Then I recommend as I previously suggested & open a case with Support to log a potential bug.
Please keep us posted.
Userlevel 7
+19
And which Scan engine do you have enabled?...Inline Entropy, File System Analysis or both?
Hi
Are you marking your VM as ‘clean’ as shown in my latest “Malware Updates/Fixes” post?
If, after performing A/V and YARA scans and other manual forensics, you determine a VM’s restore points, since initial Malware event notification, are clean, then you have to mark things as clean in 2 areas - In the Home node > Backups > Disk section. Rt-click the Job the VM is in and select Properties. Select the VM in the top VM list, then for all Restore Points on the bottom, highlight all you found to be clean and rt-click them and select ‘Mark as clean’. Additionally, you then need to go into the Inventory node, rt-click the VM and mark it as clean (do not exclude the VM if you don’t want it to be excluded from future Malware scans). Performing this process in the Inventory node will prevent Veeam from marking the VM’s Restore Points as Suspicious from future/subsequent scans for the same event. If Veeam finds a new piece of malware, then you would get notified again.
You also may need a “fix” by Veeam Support to stop false positives (see how to attain in my post above).
If you’ve done all of that and are still getting notified, you need to open a case with Veeam Support and report a possible bug. I also recommend notifying Veeam Product Management in this Forum post , so they can have their developers take a look at logs you provide, etc.
It is appearing after marking it as clean from Inventory
So, just to clarify, you want me to leave unchecked the option "Mark restore points affected by corresponding detection events as clean"?
Userlevel 7
+19
Hi
No...you have to check that box if, after performing scans and forensics on your VM, you’ve determined the VM’s Restore Points are clean. After you check that box, all future backups and scans will not mark Restore Points as suspicious, UNLESS a new malware event/suspicion is detected.
Any previous Restore Point still marked as Suspicious and you are confident are clean, you’ll then need to go into the Home node > Backups > Disk section, rt-click the Job > Properties, then select the VM at the top and highlight any previous/historical Restore Points you feel are ‘clean’. Select any one or all, rt-click, then choose ‘Mark as Clean’.
Let me know if you continue to have questions.
Userlevel 7
+19
In my environment, I had the same issue you did. But once I 1. updated Veeam to latest version, and 2. applied the Veeam ‘fix’ for Inline Entropy scans (based on my post I shared above), I then received no more Suscipions on my future Restore Points after I select the box from your screenshot. On this particular VM, I did leave some historical Restore Points (not all) as infected/Suspicious because they did indeed contain a virus file. I just let my Veeam Backup Job’s Retention clear out those Restore Points, which it since has.
Hi
No...you have to check that box if, after performing scans and forensics on your VM, you’ve determined the VM’s Restore Points are clean. After you check that box, all future backups and scans will not mark Restore Points as suspicious, UNLESS a new malware event/suspicion is detected.
Any previous Restore Point still marked as Suspicious and you are confident are clean, you’ll then need to go into the Home node > Backups > Disk section, rt-click the Job > Properties, then select the VM at the top and highlight any previous/historical Restore Points you feel are ‘clean’. Select any one or all, rt-click, then choose ‘Mark as Clean’.
Let me know if you continue to have questions.
I configured as above settings on the 2 sections inventory and Disk section, still alerts appearing. Where will i get the patch for stopping this malware false alerts , the fix you mentioned for onion link applies for the malware detection as well ?
Userlevel 7
+19
Hi
Ok, so with the message/warning/event you shared there...it appears you’re using Veeam’s File System Analysis (FSA) engine, and not the Inline Entropy? The fix I talked about above & in my post is for the Inline Entropy scan engine, not File System Analysis.
Also, can you confirm the Veeam version you’re on? While in the Console, if you look at the bottom edge of the Console window, you should see the version you’re on, like shown below:
Veeam did provide updates to the FSA engine in their latest release v12.1.2.172. So if you’re not upgraded to that version yet, I recommend doing so.
Let me know...
Userlevel 7
+19
If possible, take a pic/screenshot of your configured Malware setting to show me which ‘engine’ you have enabled...FSA and/or Inline Entropy. Go to the Console menu in the upper left corner > Malware Detection, and take a screenshot of the General tab please.
Thank you.
Hi
Ok, so with the message/warning/event you shared there...it appears you’re using Veeam’s File System Analysis (FSA) engine, and not the Inline Entropy? The fix I talked about above & in my post is for the Inline Entropy scan engine, not File System Analysis.
Also, can you confirm the Veeam version you’re on? While in the Console, if you look at the bottom edge of the Console window, you should see the version you’re on, like shown below:
Veeam did provide updates to the FSA engine in their latest release v12.1.2.172. So if you’re not upgraded to that version yet, I recommend doing so.
Let me know...
12.1.2.172 - Enterprise Plus
Userlevel 7
+19
Ok great...you’re on the latest release. Which scan engine are you using?...FSA or Inline Entropy?
Ok great...you’re on the latest release. Which scan engine are you using?...FSA or Inline Entropy?
Userlevel 7
+19
Ok, thanks
You have 1 of a few options from here → 1. perform A/V and YARA scans on your VM(s) causing the issue and remove those malware files causing the event/suspicion. Then hopefully you won’t receive anymore suspicious marks on your restore points for future/subsequent backups and scans; or, 2. exclude the VM(s) in question completely from being scanned. To do this, you not only select the 1st option in the screenshot you posted earlier about having ‘clean restore points’, but you would also select the 2nd option to exclude the entire VM from future scans. My guess is you probably don’t want to go that route in case you do get hit with malware, you’d want Veeam to detect it; or 3. contact Veeam Support to see what further can be done, or share other options I might not know about or have missed.
Best.
Ok, thanks
You have 1 of a few options from here → 1. perform A/V and YARA scans on your VM(s) causing the issue and remove those malware files causing the event/suspicion. Then hopefully you won’t receive anymore suspicious marks on your restore points for future/subsequent backups and scans; or, 2. exclude the VM(s) in question completely from being scanned. To do this, you not only select the 1st option in the screenshot you posted earlier about having ‘clean restore points’, but you would also select the 2nd option to exclude the entire VM from future scans. My guess is you probably don’t want to go that route in case you do get hit with malware, you’d want Veeam to detect it; or 3. contact Veeam Support to see what further can be done, or share other options I might not know about or have missed.
Best.
Thank you. Part 1 → All of those files have been scanned by our third-party software and confirmed to be clean, so we cannot remove them. Part 2 → Enabling Malware detection would then be pointless.
Userlevel 7
+19
This may be exactly what you’re needing.
As for Part 2. I agree. Thus why I was waiting for updates for the scan engine I use (Inline Entropy).
Add exclusions to FSA then let me know how things go.
Userlevel 7
+19
Hi
Just checking in to see if you implemented the needed FSA exclusions and how your backup Restore Points are now fairing.
Hi
Just checking in to see if you implemented the needed FSA exclusions and how your backup Restore Points are now fairing.
It Worked . Thanks
Userlevel 7
+19
Glad to hear!
Hi
Thanks!
Comment
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.