potential malware activity detected: *.purge(Globe):1

Hi,

You can find which file is potential malware from logs in C:\ProgramData\Veeam\Backup\Malware_Detection_Logs

if you upgrade 12.1 CP1 you can see specific log file from event details.

Hi Thank you.

I am not sure how to read this log.

May you kindly assist?

Veeam are marked repot.purge file as suspicious file which is located in c:\programdata\sophos\autoupdate\data\

 

Thank you @coolsport00 @JoukoLaine 

i have rescanned the VM and found no malware and mark it as clean.

No problem @Cajon . Glad to help. 

Hey Veeam Team, 

on a Customer Site, we have a problem with false positive for an Sophos AV. 

Veeam detect the .purg file. After a full Sophos scan, the file is still there. And Veeam still finds

fault with the file. 

The system is clean. 

Do you have any ideas?

Best regards,

Stefan

Exactly the same issue here.  It’s across all machines with Sophos AV on them including servers

ie. Veeam is suspicious of malware in file name .purge in location C:\ProgramData\Sophos\Autoupdate\data\repo 

Scans are coming up clean.  When install Sophos on a new machine the .purge file is installed so likely not malicious. Awaiting confirmation from Sophos.

If I add .purge extension as a trusted extension then Veeam will not alert if there is malware. Not sure what to do, anybody got any ideas?

Await what you hear from Sophos, then you can more than likely add the .purge file as an exclusion. I also recommend updating your VBR env as Veeam has made some pretty significant changes to the Malware Detection engine and its sensitivity levels.

Thanks for the reply, I will let you know what Sophos say.

We are on VBR 12.1.1.56.  If I end up adding an exclusion, it looks like I can only exclude extensions as a whole. Is that correct or can I exclude specific files/folders? I want to be informed if there is actual malware!

@Veeamified - there is a newer update which just came out yesterday. I recommend updating. See the Guide about exclusions:

https://helpcenter.veeam.com/docs/backup/vsphere/malware_detection_guest_index_manage_list.html?ver=120

Very helpful, thank you. That update came out the same day I put the update on for the now not latest version!

Sophos confirmed that the .purge file is named “.purge” but it is not a file with an extension of .purge.

After updating to Veeam 12.1.2.172 the Sophos files are no longer flagged

Awesome. Glad to hear @Veeamified 

@Veeamified :

We are running Veeam B&R 12.1.2.172 but the “.purge”-files are flagged as suspicious.

Did you mean that these files should no longer be flagged with the VEEAM-standard-settings, or did you mean that they will no longer be flagged when you excempted the “.purge”-files from scan?

To be more precise: Neiter the B&R-UI nor VEEAM-ONE does warn about them - but the findings are “included” (amongst true malware-remnants) for instance in the text-file "C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\suspicious_files_24-06-04.log"

Hi Dietmar

With 12.1.2.172, the Sophos files named .purge are no longer flagged as suspicious using standard Veeam settings BUT interestingly (as you say, and I did not know) they do still appear in the suspicious files logs in C:\ProgramData\Veeam\Backup\Malware_Detection_Logs which are created each day. Thanks for pointing this out.

For the avoidance of doubt, I have not exempted the Sophos files named .purge.

Hi @Veeamified 

Thanks for your fast and clarifiying answer! So it is not a misconfiguration from my side and I am not alone :)

Have a great day!