Solved

potential malware activity detected: *.purge(Globe):1


Userlevel 2
  • Not a newbie anymore
  • 2 comments

Hi Everyone, 

 

I have a notification of potential malware detection on one of my VM with the message "potential malware activity detected: *.purge(Globe):1” 

 

Does anyone know how to resolve this ?

icon

Best answer by coolsport00 25 January 2024, 14:15

View original

12 comments

Userlevel 1

Hi,

You can find which file is potential malware from logs in C:\ProgramData\Veeam\Backup\Malware_Detection_Logs

 

if you upgrade 12.1 CP1 you can see specific log file from event details.

 

Userlevel 2

Hi Thank you.

 

I am not sure how to read this log.

 

May you kindly assist?

 

Userlevel 1

Veeam are marked repot.purge file as suspicious file which is located in c:\programdata\sophos\autoupdate\data\

 

 

Userlevel 7
Badge +17

Hi @Cajon -

As @JoukoLaine states, malware detection has determined the malware *.purge(Globe):1 , in location C:\ProgramData\Sophos\Autoupdate\data\ as being suspicious. It appears you have Sophos as your Antivirus software on this VM/computer? And, it looks like it detected and quarantined (probably) a potentially malicious file. So, this looks legitimate.

What you would now need to do is ‘clean’ the computer in question...via your A/V tool (Sophos, in this case). At next malware scan, if the file is removed by Sophos, hopefully it would come back the next time as clean. If not, and you know for sure you did take care of this file, you can mark the computer as clean. For all the info on how to Manage Malware, please refer to the User Guide here.

Let us know if you have further questions.

Userlevel 2

Thank you @coolsport00 @JoukoLaine 

i have rescanned the VM and found no malware and mark it as clean.

Userlevel 7
Badge +17

No problem @Cajon . Glad to help. 

Hey Veeam Team, 

 

on a Customer Site, we have a problem with false positive for an Sophos AV. 

Veeam detect the .purg file. After a full Sophos scan, the file is still there. And Veeam still finds

fault with the file. 

The system is clean. 


Do you have any ideas?

Best regards,

Stefan

Exactly the same issue here.  It’s across all machines with Sophos AV on them including servers

ie. Veeam is suspicious of malware in file name .purge in location C:\ProgramData\Sophos\Autoupdate\data\repo 

 

Scans are coming up clean.  When install Sophos on a new machine the .purge file is installed so likely not malicious. Awaiting confirmation from Sophos.

If I add .purge extension as a trusted extension then Veeam will not alert if there is malware. Not sure what to do, anybody got any ideas?

Userlevel 7
Badge +17

Await what you hear from Sophos, then you can more than likely add the .purge file as an exclusion. I also recommend updating your VBR env as Veeam has made some pretty significant changes to the Malware Detection engine and its sensitivity levels.

Thanks for the reply, I will let you know what Sophos say.

We are on VBR 12.1.1.56.  If I end up adding an exclusion, it looks like I can only exclude extensions as a whole. Is that correct or can I exclude specific files/folders? I want to be informed if there is actual malware!

Userlevel 7
Badge +17

@Veeamified - there is a newer update which just came out yesterday. I recommend updating. See the Guide about exclusions:

https://helpcenter.veeam.com/docs/backup/vsphere/malware_detection_guest_index_manage_list.html?ver=120

Very helpful, thank you. That update came out the same day I put the update on for the now not latest version!

 

Comment