Veeam Support Knowledge Base
How to Investigate 'Encrypted Data Event' from Malware Detection

How to Investigate 'Encrypted Data Event' from Malware Detection

KB ID:	4632
Product:	Veeam Backup & Replication \| 12.1 \| 12.2
Published:	2024-07-01
Last Modified:	2024-09-13

By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

Oops! Something went wrong.

Please, try again later.

Version Requirement

This tool only works for malware inline detection events created by Veeam Backup & Replication 12.1.2 and newer. Previous versions of Veeam Backup & Replication are not supported.

Protected Workload Guest OS Requirement

This tool only supports investigating Windows-based workloads.

Purpose

This article documents how to investigate which files are encrypted within a machine when the Malware Detection system flags a machine as having Encrypted data.

Solution

Identify Malware Detection Event ID

The Find Encrypted Data script requires the user to provide the Malware Detection Event ID to investigate.

The following PowerShell script can be used to output a list of recent Malware Events:

# Replace with the object name as shown in Name column of the VBR UI.
$objectName = "objectName" 

#Outputs a list of malware events where encrypted data was detected for specified machine.
Get-VBRMalwareDetectionEvent | Where-Object { $_.ObjectName -eq $objectName -and $_.EncryptedDataInfo.AnalyzerResult -ne 0 } | Sort-Object -Property DetectionTime -Descending | Format-List Id, ObjectName, DetectionTime, Status, Message

Run the Find Encrypted Data PowerShell Script

With the Event ID to be investigated now identified, pass that guid to the find-encrypted-data.ps1 script:

.\find-encrypted-data.ps1 <event-id-guid>
                
            

How It Works

The script compares the ransomware index (ridx) file of the restore point associated with the malware event ID provided and the ridx from the prior restore point to determine which disk offsets should be investigated.
The script then mounts the restore point for investigation and checks the files associated with the offsets identified in Step 1.
Each file associated with the suspect offset is checked to determine how much encryption is present in the file's first megabyte (default).
The file path, its offset, and the percentage of encryption in the first 1MB are then output to the results CSV.

Considerations and Limitations

The results files are named after the GUID of the machine's disk being investigated. If the script is run multiple times for the same machine, the results of a previous script run will be overwritten. If you are investigating multiple malware events across different restore points, copy the results CSV file from earlier runs to a different location for later review.
A file being present in the results CSV does not mean it was maliciously encrypted; it is merely that the file existed at an offset where encryption was detected. Environments that use file encryption often may receive false positive alerts and should adjust the Encryption Detection sensitivity as needed.
The final column of the CSV report displays the percentage of encryption detected in the first 1MB of the file. As most ransomware encrypts only a portion of each file, the encryption detection tool only checks the first 1MB of the file to maximize investigation performance.
If a file is listed in the report with 0% in the final column, there are two possible reasons:
_{This tool cannot differentiate between these two possibilities as it only reviews the first megabyte of the file.}
- Part of the file is located in blocks with encryption, but the file itself is not encrypted.
  
  or
- The file is encrypted, just but not in the 1st MB.

Review Results CSV File

The find-encrypted-data.ps1 script will create a subfolder named "output" and write the results CSV file into that folder.

Example: {b20c3fe9-927c-4aca-b4f4-d93b1ecdab9b}_Volume0_result.csv

Open the CSV file in a spreadsheet editor or plain text editor and review the results.

_{As this tool only checks for encryption within the first MB of a file, false positives may occur, and a manual review by an administrator is necessary to determine whether a file has been impacted by malware/ransomware.}

Download Information

Download Script

^{Filename: Investigation Tool Files.zip

Updated: 2024-06-28}

MD5: 62F7F9F874189A1D5B48F8399F4CD6AE
SHA1: FC1D2CFDC1982DBADF3F2924656C0B95604E3BA4

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

Product

Topic

Description

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.

Verify your email to continue your product download

We've sent a verification code to:

An email with a verification code was just sent to

Didn't receive the code? Click to resend in sec

Didn't receive the code? Click to resend

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.