Question

vbr 12.1 False positive malware detection


Userlevel 7
Badge +7

 i enabled malware detection, the next day an alarm went up on the ubuntu Hardened backup repository server where immutable backups are saved.

 

Backup jobs are " enable backup encryption" I suspect this is the cause of the false positive.

 

Ran the secure scan Linux version -scanAV which with - YARAScan of 12.1 comes out clean .thanks to the invaluable guidance of @SteveHeart 

https://community.veeam.com/yara-and-script-library-67/vbr-securerestore-lnx-ps1-secure-restore-for-linux-vm-4617

.\vbr-securerestore.ps1 -Mounthost myububtu -Scanhost immu-repo -Jobname D10-my-job -Keyfile .\public-key.key -AVScan

.\vbr-securerestore.ps1 -HostToScan immu-repo -Jobname D10-my-job -Mounthost myububtu -LinuxUser my-user  -Keyfile c:\cert\public-key.key -YARAScan 

Has this happened to anyone? For the moment I mark them as clean
Thanks


20 comments

Userlevel 7
Badge +17

@Link State Yep. I have a SR open with Veeam to discuss this. I have that very same “detail” window for one of my VMs. Interesting thing is the VM is an appliance! I had this happen for a couple Windows VMs as well, with a slightly different message for 1 of them (the other was similar to the appliance VM).

Like you, I went ahead and ‘marked them as clean’ for now. But, I’m still investigating...

Userlevel 7
Badge +20

Yes, I have seen this as well on my VHR repos and other VMs that “technically” should not be reporting Malware detections.  Looking forward to seeing how others resolve this or what Veeam has to say.

Userlevel 7
Badge +7

@Link State Yep. I have a SR open with Veeam to discuss this. I have that very same “detail” window for one of my VMs. Interesting thing is the VM is an appliance! I had this happen for a couple Windows VMs as well, with a slightly different message for 1 of them (the other was similar to the appliance VM).

Like you, I went ahead and ‘marked them as clean’ for now. But, I’m still investigating...

 @coolsport00  If you can post the fix, thank you

Userlevel 7
Badge +17

As soon I hear back from them...you bet!

Userlevel 7
Badge +17

Another issue I have with this is there are no log files (it appears) for those who only use the ‘Inline Entropy’ scan. There’s only a log file for the Guest Indexing (file system) scan. I’ll be taking that up with them when we speak again too!

Userlevel 7
Badge +8

Hi @Link State,

what yara rule are you using?

Userlevel 7
Badge +17

@SteveHeart - which one should we use for such a detection? At this point, for me it’s moot until I get able communication to a couple of VMs which had this ‘detection’ to be able to scan (hangs at 0%).

Userlevel 7
Badge +6

I’m disappointed.  Everyone is out here reporting false positives for malware scanning.  I turned it on my production environment earlier this week or late last week and nary a peep from Veeam.  And my one file server has, I would guess hundreds of thousands of files across I think about 5-7TB of data.  I would have figured SOMETHING would trigger it…..

Userlevel 7
Badge +8

@SteveHeart - which one should we use for such a detection? At this point, for me it’s moot until I get able communication to a couple of VMs which had this ‘detection’ to be able to scan (hangs at 0%).

Hi @coolsport00 - I would start with an AV scan and then do threat hunting using specific YARA rules (the top 10 from Rick might be a good start). 

Userlevel 7
Badge +7

Hi @Link State,

what yara rule are you using?

the alarm went out after enabling inline entropy detection analysis

Userlevel 7
Badge +8

Hi @Link State,

what yara rule are you using?

the alarm went out after enabling inline entropy detection analysis

Here you’re triggering a YARA scan on a Linux host “.\vbr-securerestore.ps1 -HostToScan immu-repo -Jobname D10-my-job -Mounthost myububtu -LinuxUser my-user  -Keyfile c:\cert\public-key.key -YARAScan”, so that’s why I asked which rule you were using.

Userlevel 7
Badge +7

Hi @Link State,

what yara rule are you using?

the alarm went out after enabling inline entropy detection analysis

Here you’re triggering a YARA scan on a Linux host “.\vbr-securerestore.ps1 -HostToScan immu-repo -Jobname D10-my-job -Mounthost myububtu -LinuxUser my-user  -Keyfile c:\cert\public-key.key -YARAScan”, so that’s why I asked which rule you were using.

yes of course, I only used your script after the inline entropy detection analysis using only the function - Avscan , to check. The problem is that the jobs are encrypted and result in a false positive.

thank you for your interest

Userlevel 7
Badge +17

“Hi @coolsport00 - I would start with an AV scan and then do threat hunting using specific YARA rules (the top 10 from Rick might be a good start).” ← Thank you Steve. Appreciate the suggestion.

Userlevel 7
Badge +17

“I’m disappointed.  Everyone is out here reporting false positives for malware scanning.  I turned it on my production environment earlier this week or late last week and nary a peep from Veeam” ← don’t worry @dloseke  ...you’ll get them eventually I think. 🙂 I had 3 in one week (different days). Now, it’s quieted down again. 

I think I have some answers to my Inline Entropy scans questions as of yesterday, but not really what I was wanting to hear; altho, not unexpected. I may place my experience in an article though. I think it would benefit others as this is so new.

Userlevel 7
Badge +8

“I’m disappointed.  Everyone is out here reporting false positives for malware scanning.  I turned it on my production environment earlier this week or late last week and nary a peep from Veeam” ← don’t worry @dloseke  ...you’ll get them eventually I think. 🙂 I had 3 in one week (different days). Now, it’s quieted down again. 

I think I have some answers to my Inline Entropy scans questions as of yesterday, but not really what I was wanting to hear; altho, not unexpected. I may place my experience in an article though. I think it would benefit others as this is so new.

Hi @coolsport00: I think I understand what you’re looking for. Let me answer you on my next “scripting friday”. I might also write a script ;).

Userlevel 7
Badge +17

Hi @coolsport00: I think I understand what you’re looking for. Let me answer you on my next “scripting friday”. I might also write a script ;).” ← Ohhh...intrigued! 😊

Userlevel 7
Badge +8

@coolsport00: I see, you found the Veeam forums thread to this topic. Just PM me, if something is unclear from there.

Userlevel 7
Badge +17

@SteveHeart yes! It's been enlightening. A blog post is coming soon 😊

Userlevel 7
Badge +17

@Link State -

I should clarify my issue..mine is different than yours. Are you backing up your Linux Hardened Repo? So, you use a VM as your VHRs? Sorry I didn’t notice that specifically earlier.

I was getting that same Malware warning/error you did on a couple linux VMs I have...but are appliances..not VHRs. This is why I said I got the same thing as you...I got the same Details window message you did, but not on my VHR (I use physical Linux boxes for those).

And, my issue with those warnings/detections is the vagueness of the messages. They’re just short of meaningless because it doesn’t give you any location to help in investigating the issue. But, because this detection is brought on not by the File System Analysis engine scan, but rather by the Inline Entropy engine scan, the vagueness of the message is almost unavoidable, because the scan is at the block level, not file index level so no path/location can be determined.

I wrote a blog on the issues I’ve had with the Inline Entropy engine and will be posting it later this everning or early tomorrow a.m. Hopefully my post can shed a little bit more light on it. Basically though, the detection is not necessarily because of the encrypted or immutable backup files...although it could be. Reality is it’s difficult to pinpoint the root cause, and about the only thing you can do, for Inline Entropy scan malware detection events, is to do what you did...run a YARA or A/V scan (Windows) on the affected system. 

Userlevel 7
Badge +17

Hi @Link State - here’s the blog I wrote if it helps answer some of your questions a little:

 

Comment