Question

Veeam Version 12.1 - Malware Detections Query


Userlevel 5

Hello Veeam Community,

I am reaching out with a concern regarding our Veeam version 12.1, as we are consistently receiving malware detection alerts on our VMs. The notifications specifically indicate:

  • Potential malware activity detected: Too many files have had their names changed since the last backup; ensure they were not encrypted by ransomware.
  • Potential malware activity detected: *.ttt (TeslaCrypt 3.0): 40 instances.
  • Potential malware activity detected: *..txt: 2 instances.

I have conducted thorough scans on both the VM and the backup, and no malicious activity was found. Could you please provide insights or guidance on whether this is a matter of concern, and if there are additional steps I should take to address this issue?

Your assistance in resolving this matter is highly appreciated. Thank you in advance for your support.


28 comments

Userlevel 7
Badge +17

That sounds like a VeeamONE alarm?

Userlevel 7
Badge +21

If you have scanned the servers in question and they are clean you can mark the Malware detection as clean and at the same time exclude the VMs from future detections.

Userlevel 5

If you have scanned the servers in question and they are clean you can mark the Malware detection as clean and at the same time exclude the VMs from future detections.

Excluding the VM from future detections means it will be excluded even when there are a real malware?

Userlevel 7
Badge +21

If you have scanned the servers in question and they are clean you can mark the Malware detection as clean and at the same time exclude the VMs from future detections.

Excluding the VM from future detections means it will be excluded even when there are a real malware?

Yes it would.  So I would mark the VM as clean in the Malware Detection section in the console and I believe it updates the metadata for detections.  I have done this and it seems to rectify the recurrence of detection on the VM but still scans it.

I know excluding is not the right way as we want all VMs scanned so that option to me should not be there.

Userlevel 7
Badge +17

@VEEAM_Legend - you can simply mark the VM(s) as Clean instead of Exclusion. Yes..excluding would make them not part of scan for future. You can mark them as clean as noted in the Guide here

Userlevel 5

@coolsport00 thank you i'll mark those two VM as clean and run a Microsoft Scan too.

 

Userlevel 7
Badge +17

No problem.

Userlevel 5

i have scanned the VM with Mcafee / Windows Defender / ESET online tools, none of those tools has found any infection of malware.
i’ve marked the VM as clean, during the weekend backup, the warning has comes back.

Potential malware activity detected: *.ttt (TeslaCrypt 3.0): 40 instances

Userlevel 7
Badge +17

Hmm...something else is on them causing Veeam to see them as infected. Since this tech is so new, I’d ping Veeam Support @VEEAM_Legend 

Userlevel 7
Badge +21

Another option would be to add this extension to the exclusion list -

Potential malware activity detected: *.ttt (TeslaCrypt 3.0): 40 instances

The *.ttt one noted in the report.

so Veeam’s solution for detecting malware was simply partial file name matching?  so I can have the EICAR content in a file name “innocent_content.txt” and it would be OK?

Userlevel 7
Badge +14

@westBuilding  Veeam is using a multilayered approach for detecting malware. The inline scan doesn't do classic signature based scanning. Rather it searches for hints of an existing infection or on going ransomware encryption. So something an AV might not detect, or in cases where an attacker already disabled the security solution or is attacking from a 3rd party system.​​​​​​ During the backup multiple attributes are getting checked. Known malicious file endings are just one of them. For example Veeam also searches for Onion links, ransomware notes or compares changes to previous backups.

Then the Guest Index is analyzed for suspicious or known malicious files. Here Veeam also searches for malware signatures which get updated and distributed by Veeam.

https://helpcenter.veeam.com/docs/backup/vsphere/malware_detection_guest_index.html?ver=120

And after the backup you have the possibility to scan restore points with a 3rd party antivirus and/or YARA rules. This can be done manually or in a scheduled way. Besides scanning the last restore point, you can also scan all restore points to find the last clean one.

So many different possibilities to find malicious traces 🙂

Userlevel 6
Badge +4

Hello,

If you want to know what files are detected go to c programdata veeam backup malwaredetection folder ln the vbr server!

Userlevel 5

Hello,

If you want to know what files are detected go to c programdata veeam backup malwaredetection folder ln the vbr server!

Thank you for your response, but your answers/steps are not complete. Could you please specify which file, etc.?

Userlevel 6
Badge +4

Hello,

If you want to know what files are detected go to c programdata veeam backup malwaredetection folder ln the vbr server!

Thank you for your response, but your answers/steps are not complete. Could you please specify which file, etc.?

Hello,

I don’t know if you go to the folder but on my side, I have only 1 file each day inside it.

C:\ProgramData\Veeam\Backup\Malware_Detection_Logs

The file is suspicious_files_YY-MM-DD.log

YY = 2 last number of the year (24)

MM = 2 last nomber of the month (01)

DD = day of the month (22) for today

When you open the file you will see configuration and then the files after some empty lines.

Network Interface, Name: Ethernet0, Description: Adaptateur Ethernet vmxnet3, Interface Type: Ethernet, Operational Status: Up;
    Unicast IPAddresses: aaaaaaaaaa; a.b.c.d;
    Gateway IPAddresses: a.b.c.d;
Network Interface, Name: Loopback Pseudo-Interface 1, Description: Software Loopback Interface 1, Interface Type: Loopback, Operational Status: Up;
    Unicast IPAddresses: ::1; 127.0.0.1;
UTC offset: 1,00 hours


[10.01.2024 01:25:46.582]    <69> Warning (3)    DC:9667596d-c02e-4e07-b68e-d50a6ae792b5:d:\test:test..txt

 

Here the issue is about d:\test\test..txt

It’s because the file has the extention ..txt and not .txt

This is a great new feature, but I think having the ability to exclude directories instead of just file names would solve some things. As long as your directory paths don’t change where legitimate encrypted files are located, you would have the ability to exclude them without sacrificing excluding wildcard extensions for the entire workload. Just a thought anyways which would maybe help as a feature request.

Userlevel 7
Badge +17

​​​@VEEAM_Legend - just checking to see if anything posted here helped take care of your issue? Please let us know if there’s anything else we can assist with.

@WoodDog80 - we were talking about similar in another thread. :)

 

Userlevel 7
Badge +8

This is a great new feature, but I think having the ability to exclude directories instead of just file names would solve some things. As long as your directory paths don’t change where legitimate encrypted files are located, you would have the ability to exclude them without sacrificing excluding wildcard extensions for the entire workload. Just a thought anyways which would maybe help as a feature request.

I was talking about this in another post.

This, or the ability to choose specific files per folder/server, or mark flagged files as clean.   Something along both of those together would make this perfect. 

I cannot locate the Malware_Detection_Logs in any directory on the veeam backup server. Looking at the Malware Detection > Malware Events in the local console shows the following but has no detail as to what files in what locations triggered this. 

Detection source: Encrypted data

Status: Suspicious 

Details: Potential malware activity detected

 

I searched the entire C drive of the veeam server for Malware_Detection_Logs and cannot find it. I do have veeam proxy servers in place. Should i be searing those? Or should I search on the server where the suspicious data was located? 

I’m really disappointed as to the lack of any meaningful information in the emailed alert or the local console logs. 

Userlevel 7
Badge +17

Hi @MJ_CIP2023 -

That folder only exists for the File System Analysis scans. You appear to be using the Inline Entropy scan. For that scan, the log file to look at is on the VBR server located at:

C:\ProgramData\Veeam\Backup\VeeamDataAnalyzerSvc.log

Even so, there still isn't much info given on what /where to look at for the possible threat. There should be an update to Malware Detection soon which is supposed to help. 

Userlevel 7
Badge +17

BTW... I cover these headaches and share more where to keep an eye out for more info on a Community post I did several weeks ago:

 

Hi @MJ_CIP2023 -

That folder only exists for the File System Analysis scans. You appear to be using the Inline Entropy scan. For that scan, the log file to look at is on the VBR server located at:

C:\ProgramData\Veeam\Backup\VeeamDataAnalyzerSvc.log

Even so, there still isn't much info given on what /where to look at for the possible threat. There should be an update to Malware Detection soon which is supposed to help. 

Thanks for the quick response. Found that log to at least point me in a possible direction - It appears the scan had issues with block sizes. This particular server had it’s C drive expanded due to space issues.  

Userlevel 7
Badge +17

Nice find! 

Userlevel 7
Badge +8

C:\ProgramData\Veeam\Backup\Malware_Detection_Logs

Userlevel 7
Badge +17

C:\ProgramData\Veeam\Backup\Malware_Detection_Logs

Hey Scott, based off the Malware event he posted, his event is for Inline Entropy scans. When that is used, there is no Malware_Detection_Logs folder and subsequent log file. That is only used for File System Analysis scans.

Comment