Malware Activity Detected

Sent when malware activity is detected. For more information, see Malware Detection.

General Information

Event ID: 41600

Event message details: Possible malware activity has been detected: <Details>

Severity: Warning

Parameters

Parameter Name

Description

Example

DetectionTimeUTC

Date and time when malware activity has been detected.

DetectionTimeUTC="10/20/2023 12:34:03"

OibID

Machine ID.

OibID="0e54d3bf-add8-48eb-9122-fad3ac1e8fb3"

ActivityType

Malware activity type. Possible values:

  • DeletedUsefulFiles — Deleted files
  • RansomwareNotes — Ransom notes and onion links
  • RansomwareExtensions — Known suspicious files and extensions
  • EncryptedData — Encrypted files
  • YaraScan — Malware activity specified in the YARA rule
  • AntivirusScan — Malware activity specified in the antivirus configuration file
  • RenamedFiles — Renamed files

ActivityType="RansomwareExtensions"

UserName

Name of the user who performed an operation.

UserName="TECH\user1"

UserFullInfo

Detailed information about the user who performed an operation. Includes the following data:

  • fullName — the user name
  • loginType

UserFullInfo="<ModifiedUserInfo fullName="TECH\user1" loginType="0" />"

ObjectName

Object name.

ObjectName="VM01"

Version

Event version (service parameter).

Version="1"

Description

Event message details.

Description="Possible malware activity has been detected: *.onion(Dharma): 182 *.lovewindows(Globe): 8 for OIB: 0e54d3bf-add8-48eb-9122-fad3ac1e8fb3 (VM01), rule: RansomwareExtensions by user: TECH\user1."

Syslog Message Example

<12>1 2023-10-20T14:35:57.885401+02:00 VBRSRV01 Veeam_MP - - [origin enterpriseId="31023"] [categoryId=0 instanceId=41600 DetectionTimeUTC="10/20/2023 12:34:03" OibID="0e54d3bf-add8-48eb-9122-fad3ac1e8fb3" ActivityType="RansomwareExtensions" UserName="TECH\user1" UserFullInfo="<ModifiedUserInfo fullName="TECH\user1" loginType="0" />" ObjectName="VM01" Version="1" Description="Possible malware activity has been detected: *.onion(Dharma): 182 *.lovewindows(Globe): 8 for OIB: 0e54d3bf-add8-48eb-9122-fad3ac1e8fb3 (VM01), rule: RansomwareExtensions by user: TECH\user1."]

Page updated 5/23/2024

Page content applies to build 12.3.0.310