#1 Global Leader in Data Resilience
#1 Global Leader in Data Resilience
BACK TO KB LIST

How to Investigate 'Encrypted Data Event' from Malware Detection

KB ID: 4632
Product: Veeam Backup & Replication | 12.1 | 12.2 | 12.3
Published: 2024-07-01
Last Modified: 2024-12-13
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Version Requirement
This tool only works for malware inline detection events created by Veeam Backup & Replication 12.1.2 and newer. Previous versions of Veeam Backup & Replication are not supported.
Protected Workload Guest OS Requirement
This tool only supports investigating Windows-based workloads.

Purpose

This article documents how to investigate which files are encrypted within a machine when the Malware Detection system flags a machine as having Encrypted data.
Example

Solution

Step 1: Identify Malware Detection Event ID

The Find Encrypted Data script requires the user to provide the Malware Detection Event ID to investigate.

The following PowerShell script can be used to output a list of recent Malware Events:

# Replace with the object name as shown in Name column of the VBR UI.
$objectName = "objectName" 

#Outputs a list of malware events where encrypted data was detected for specified machine.
Get-VBRMalwareDetectionEvent | Where-Object { $_.ObjectName -eq $objectName -and $_.EncryptedDataInfo.AnalyzerResult -ne 0 } | Sort-Object -Property DetectionTime -Descending | Format-List Id, ObjectName, DetectionTime, Status, Message
GetID

Step 2: Run the Find Encrypted Data PowerShell Script

With the Event ID to be investigated now identified, pass that guid to the find-encrypted-data.ps1 script:

.\find-encrypted-data.ps1 <event-id-guid>
Run Tool
How It Works
  • The script compares the ransomware index (ridx) file of the restore point associated with the malware event ID provided and the ridx from the prior restore point to determine which disk offsets should be investigated.
  • The script then mounts the restore point for investigation and checks the files associated with the offsets identified in Step 1.
  • Each file associated with the suspect offset is checked to determine how much encryption is present in the file's first megabyte (default).
  • The file path, its offset, and the percentage of encryption in the first 1MB are then output to the results CSV.
Considerations and Limitations
  • The results files are named after the GUID of the machine's disk being investigated. If the script is run multiple times for the same machine, the results of a previous script run will be overwritten. If you are investigating multiple malware events across different restore points, copy the results CSV file from earlier runs to a different location for later review.
  • A file being present in the results CSV does not mean it was maliciously encrypted; it is merely that the file existed at an offset where encryption was detected. Environments that use file encryption often may receive false positive alerts and should adjust the Encryption Detection sensitivity as needed.
  • The final column of the CSV report displays the percentage of encryption detected in the first 1MB of the file. As most ransomware encrypts only a portion of each file, the encryption detection tool only checks the first 1MB of the file to maximize investigation performance.
    If a file is listed in the report with 0% in the final column, there are two possible reasons:
    This tool cannot differentiate between these two possibilities as it only reviews the first megabyte of the file.
    • Part of the file is located in blocks with encryption, but the file itself is not encrypted.

      or
    • The file is encrypted, just but not in the 1st MB.

Review Results CSV File

The find-encrypted-data.ps1 script will create a subfolder named "output" and write the results CSV file into that folder.

Example: {b20c3fe9-927c-4aca-b4f4-d93b1ecdab9b}_Volume0_result.csv

Open the CSV file in a spreadsheet editor or plain text editor and review the results.

As this tool only checks for encryption within the first MB of a file, false positives may occur, and a manual review by an administrator is necessary to determine whether a file has been impacted by malware/ransomware.

Results Example

Download Information

Download Script

Filename: Investigation_Tool_Files_v1.zip
Updated: 2024-06-28

MD5: E0C673F18956015DF53F64566077A065
SHA1: 8B9E6113A533887B3206E64DFE0B284007573498

Note: If you get the error "Cannot find malware event with ID" you have either provided the script with an invalid Malware Event ID or failed to provide an Event ID. Please review the usage instructions closely.
For Deployments with non-default Veeam Backup & Replication Install Location

The script assumes Veeam Backup & Replication is installed using the default C:\ locationC:\Program Files\Veeam\Backup and Replication\Backup\. If Veeam Backup & Replication has been installed on a different drive letter, please update line 165 within the PowerShell script.

Line 165:

static [String] $LibPath = "C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.CatalogFsLib.dll"
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Start using Veeam:
Download the product
&
Activate the license key
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.