Malware Activity Detected

Sent when malware activity is detected. For more information, see Malware Detection.

General Information

Event ID: 41600

Event message details: Potential malware activity detected: <Details>

Severity: Warning

Parameters

Parameter Name

Description

Example

DetectionTimeUTC

Date and time when malware activity has been detected.

DetectionTimeUTC="03/20/2025 13:05:41"

OibID

Machine ID.

OibID="0e54d3bf-add8-48eb-9122-fad3ac1e8fb3"

ActivityType

Malware activity type. Possible values:

  • DeletedUsefulFiles — Deleted files
  • SuspiciousFilesInDelta — Indicators of compromise
  • RansomwareNotes — Ransom notes and onion links
  • RansomwareExtensions — Known suspicious files and extensions
  • EncryptedData — Encrypted files
  • YaraScan — Malware activity specified in the YARA rule
  • AntivirusScan — Malware activity specified in the antivirus configuration file
  • RenamedFiles — Renamed files

ActivityType="EncryptedData"

UserName

Name of the user who performed an operation.

UserName="TECH\user1"

UserFullInfo

Detailed information about the user who performed an operation. Includes the following data:

  • fullName — the user name
  • loginType

UserFullInfo="<ModifiedUserInfo fullName="TECH\user1" loginType="0" />"

ObjectName

Object name.

ObjectName="VM01"

VbrHostName

Backup server name. Can be a DNS name, an FQDN or an IP address.

VbrHostName="vbrsrv01.tech.local"

VbrVersion

Veeam Backup & Replication version.

VbrVersion="12.3.1.1139"

Version

Event version (service parameter).

Version="1"

Description

Event message details.

Description="Potential malware activity detected for OIB: 0e54d3bf-add8-48eb-9122-fad3ac1e8fb3 (VM01), rule: Encrypted data by user: TECH\user1."

Syslog Message Example

1 2025-03-20T14:06:09.662307+02:00 VBRSRV01 Veeam_MP - - [origin enterpriseId="31023"] [categoryId=0 instanceId=41600 DetectionTimeUTC="03/20/2025 13:05:41" OibID="0e54d3bf-add8-48eb-9122-fad3ac1e8fb3" ActivityType="EncryptedData" UserName="TECH\user1" UserFullInfo="<ModifiedUserInfo fullName="TECH\user1" loginType="0" />" ObjectName="VM01" VbrHostName="vbrsrv01.tech.local" VbrVersion="12.3.1.1139" Version="1" Description="Potential malware activity detected for OIB: 0e54d3bf-add8-48eb-9122-fad3ac1e8fb3 (VM01), rule: Encrypted data by user: TECH\user1."]

Page updated 4/4/2025

Page content applies to build 12.3.1.1139