Skip to main content
  • EN


We have enabled malware scanning,  and We got a warning that some of the servers has some potential malware detection.Specifically "Onion Links". I enabled inline entropy

I took a look a the full logs of the scan on mount server C:\ProgramData\Veeam\Backup\Malware_Detection_Logs , and only the logs for windows machine appear here,  however, as confirmed by Veaam's support, scanning backups for Linux machines are not supported at this time. So Linux VM logs are missing. When you click the malware detection event, there's nothing nor paths in the details.

I equally checked c:\VBRCatalog\Index\Machines\Affected-Linux-VM\ransonwareidx , but i still cannot identify what files or path-to-Files.

How can i scan our Linux machines to determine the paths to the files of the Onion links malware detected? I would like to identify what files are being flagged as malware so i can "mark clean" if need be.

Any help regarding this please and thank you

Hi @lorenzo55 -

Welcome to the Community. If you enabled Inline Entropy scanning, the Malware_Detection_Logs folder is not for that scan engine, if your “event” is for an Inline Entropy event. That folder is used for File Systems Analysis engine only. I discuss this and several things in a post I did below. This should also be able to help you for scanning your Linux system for Onion links files:

Let me know if you have further questions.

Best.

Hi @lorenzo55 -

Welcome to the Community. If you enabled Inline Entropy scanning, the Malware_Detection_Logs folder is not for that scan engine, if your “event” is for an Inline Entropy event. That folder is used for File Systems Analysis engine only. I discuss this and several things in a post I did below. This should also be able to help you for scanning your Linux system for Onion links files:

Let me know if you have further questions.

Best.

Thank you for your response.

I have a follow-up question. We have upgraded to VBR 12.2 release.  We have recently become aware of a new threat called the Mallox ransomware which now also targets Linux systems.

 

Given the critical nature of our data and the potential impacts of this ransomware:

  1. How effective is the latest Veeam update (12.2) in detecting and mitigating the Mallox ransomware on Linux servers?
  2. Are there any specification changes Veeam recommends to enhance our protection against this particular threat?

https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-variant-based-on-leaked-kryptina-code/

https://linuxexpress.medium.com/mallox-ransomware-the-rise-of-a-persistent-threat-in-linux-systems-c0033d2a868b

 

Thanks once again

@lorenzo55 - there were some ‘tweaks’ to the Malware Scan engines to not be so….”noisy”...or trigger so many false positives. From that standpoint alone, as well as vulnerabilities Veeam recently found, updating is highly recommended. 

Veeam updates its SuspiciousFiles.xml file each day, which it uses for the scans, so is fairly up to date.

https://www.veeam.com/kb4514

No other configurations I’m aware of regarding that threat.

@lorenzo55 - there were some ‘tweaks’ to the Malware Scan engines to not be so….”noisy”...or trigger so many false positives. From that standpoint alone, as well as vulnerabilities Veeam recently found, updating is highly recommended. 

Veeam updates its SuspiciousFiles.xml file each day, which it uses for the scans, so is fairly up to date.

https://www.veeam.com/kb4514

No other configurations I’m aware of regarding that threat.

Again, thank you for your response. Indeed you are a legend :)

@coolsport00 

No problem @lorenzo55 , glad I could help. 😊

If any of my comments helped you out, don't forget to mark one as 'Best Answer' so others with a similar question who come across this post can benefit.

Thanks. 

Hi @Madi.Cristil @safiya - for the most appropriate answer selection for this post, I believe the selected ‘Best Answer’ should be my comment the author/poster “quoted”. Could you please deselect what he selected and mark my comment he used as Best Answer?

Thank you.

Comment


Terms & Conditions