vbr 12.1 False positive malware detection

@Link State Yep. I have a SR open with Veeam to discuss this. I have that very same “detail” window for one of my VMs. Interesting thing is the VM is an appliance! I had this happen for a couple Windows VMs as well, with a slightly different message for 1 of them (the other was similar to the appliance VM).

Like you, I went ahead and ‘marked them as clean’ for now. But, I’m still investigating...

 @coolsport00  If you can post the fix, thank you

Another issue I have with this is there are no log files (it appears) for those who only use the ‘Inline Entropy’ scan. There’s only a log file for the Guest Indexing (file system) scan. I’ll be taking that up with them when we speak again too!

@SteveHeart - which one should we use for such a detection? At this point, for me it’s moot until I get able communication to a couple of VMs which had this ‘detection’ to be able to scan (hangs at 0%).

Hi @coolsport00 - I would start with an AV scan and then do threat hunting using specific YARA rules (the top 10 from Rick might be a good start). 

Here you’re triggering a YARA scan on a Linux host “.\vbr-securerestore.ps1 -HostToScan immu-repo -Jobname D10-my-job -Mounthost myububtu -LinuxUser my-user  -Keyfile c:\cert\public-key.key -YARAScan”, so that’s why I asked which rule you were using.

“Hi @coolsport00 - I would start with an AV scan and then do threat hunting using specific YARA rules (the top 10 from Rick might be a good start).” ← Thank you Steve. Appreciate the suggestion.

Hi @coolsport00: I think I understand what you’re looking for. Let me answer you on my next “scripting friday”. I might also write a script ;).

@coolsport00: I see, you found the Veeam forums thread to this topic. Just PM me, if something is unclear from there.

@Link State -

I should clarify my issue..mine is different than yours. Are you backing up your Linux Hardened Repo? So, you use a VM as your VHRs? Sorry I didn’t notice that specifically earlier.

I was getting that same Malware warning/error you did on a couple linux VMs I have...but are appliances..not VHRs. This is why I said I got the same thing as you...I got the same Details window message you did, but not on my VHR (I use physical Linux boxes for those).

And, my issue with those warnings/detections is the vagueness of the messages. They’re just short of meaningless because it doesn’t give you any location to help in investigating the issue. But, because this detection is brought on not by the File System Analysis engine scan, but rather by the Inline Entropy engine scan, the vagueness of the message is almost unavoidable, because the scan is at the block level, not file index level so no path/location can be determined.

I wrote a blog on the issues I’ve had with the Inline Entropy engine and will be posting it later this everning or early tomorrow a.m. Hopefully my post can shed a little bit more light on it. Basically though, the detection is not necessarily because of the encrypted or immutable backup files...although it could be. Reality is it’s difficult to pinpoint the root cause, and about the only thing you can do, for Inline Entropy scan malware detection events, is to do what you did...run a YARA or A/V scan (Windows) on the affected system.