Hi Everyone,
I have a notification of potential malware detection on one of my VM with the message "potential malware activity detected: *.purge(Globe):1”
Does anyone know how to resolve this ?
Best answer by coolsport00
View originalUserlevel 1
Hi,
You can find which file is potential malware from logs in C:\ProgramData\Veeam\Backup\Malware_Detection_Logs
if you upgrade 12.1 CP1 you can see specific log file from event details.
Userlevel 2
Hi Thank you.
I am not sure how to read this log.
May you kindly assist?
Userlevel 1
Veeam are marked repot.purge file as suspicious file which is located in c:\programdata\sophos\autoupdate\data\
Userlevel 7
+19
Hi
As
What you would now need to do is ‘clean’ the computer in question...via your A/V tool (Sophos, in this case). At next malware scan, if the file is removed by Sophos, hopefully it would come back the next time as clean. If not, and you know for sure you did take care of this file, you can mark the computer as clean. For all the info on how to Manage Malware, please refer to the User Guide here.
Let us know if you have further questions.
Userlevel 2
Thank you
i have rescanned the VM and found no malware and mark it as clean.
Userlevel 7
+19
No problem
Hey Veeam Team,
on a Customer Site, we have a problem with false positive for an Sophos AV.
Veeam detect the .purg file. After a full Sophos scan, the file is still there. And Veeam still finds
fault with the file.
The system is clean.
Do you have any ideas?
Best regards,
Stefan
Exactly the same issue here. It’s across all machines with Sophos AV on them including servers
ie. Veeam is suspicious of malware in file name .purge in location C:\ProgramData\Sophos\Autoupdate\data\repo
Scans are coming up clean. When install Sophos on a new machine the .purge file is installed so likely not malicious. Awaiting confirmation from Sophos.
If I add .purge extension as a trusted extension then Veeam will not alert if there is malware. Not sure what to do, anybody got any ideas?
Userlevel 7
+19
Await what you hear from Sophos, then you can more than likely add the .purge file as an exclusion. I also recommend updating your VBR env as Veeam has made some pretty significant changes to the Malware Detection engine and its sensitivity levels.
Thanks for the reply, I will let you know what Sophos say.
We are on VBR 12.1.1.56. If I end up adding an exclusion, it looks like I can only exclude extensions as a whole. Is that correct or can I exclude specific files/folders? I want to be informed if there is actual malware!
Userlevel 7
+19
Very helpful, thank you. That update came out the same day I put the update on for the now not latest version!
Sophos confirmed that the .purge file is named “.purge” but it is not a file with an extension of .purge.
After updating to Veeam 12.1.2.172 the Sophos files are no longer flagged
Userlevel 7
+19
Awesome. Glad to hear
We are running Veeam B&R 12.1.2.172 but the “.purge”-files are flagged as suspicious.
Did you mean that these files should no longer be flagged with the VEEAM-standard-settings, or did you mean that they will no longer be flagged when you excempted the “.purge”-files from scan?
To be more precise: Neiter the B&R-UI nor VEEAM-ONE does warn about them - but the findings are “included” (amongst true malware-remnants) for instance in the text-file "C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\suspicious_files_24-06-04.log"
Hi Dietmar
With 12.1.2.172, the Sophos files named .purge are no longer flagged as suspicious using standard Veeam settings BUT interestingly (as you say, and I did not know) they do still appear in the suspicious files logs in C:\ProgramData\Veeam\Backup\Malware_Detection_Logs which are created each day. Thanks for pointing this out.
For the avoidance of doubt, I have not exempted the Sophos files named .purge.
Hi
Thanks for your fast and clarifiying answer! So it is not a misconfiguration from my side and I am not alone :)
Have a great day!
Comment
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.