Ransomware Bundle - Type Two Whitelist

Hi all,

My javascript skills are fairly minimal, and until now, I’ve been able to fumble my way through editing the triggers for this bundle. I have an issue trying to whitelist a particular temp extension being created by our Veeam backup server. The backup files increment a counter in the middle of the string ( ie, .vbm_01_temp, .vbm_02_temp, etc… ) and I am unable to properly whitelist these. I tried just using a wildcard (.vbm_*_temp) and I tried escaping the wildcard (.vbm_/*/_temp).
Can anyone tell me what I’m doing wrong here?

Thank you!

@tomr, can you please give @smlextrahop01 some guidance on this?

Hey @smlextrahop01,

I believe adding "\\.vbm_.*?_temp" to the type_two_whitelist_advanced list will make it work for you. Short explanation is:

  • \\. escapes the literal period
  • vbm_ is the first part of the string you are looking for
  • .*? is the wildcard you want ( . matches any character, * repeats, ? is lazy mode)
  • _temp is the second part of the string you are looking for

@tomr does that all look good?

I’ve added this to both the advanced and basic whitelist and am still receiving alerts. I’ll keep playing with it and when I find the correct combination I’ll post it up here. I appreciate you pointing me in the right direction and giving me the syntax. Thank you.

I’m doing this without having checked this, but assuming the regex is the same as used in regex101.com (invaluable utility), you’d want:

.vbm_.*?_temp

Two backslashes in the beginning just escapes the second backslash.

I’ve added this as well, we’ll see…
Thank you for the link, that will come in handy!

I believe adding \.vbm_.*_temp should work. Just one slash required to escape the literal period at the beginning.

I don’t think I documented this correctly in the trigger comments. I’ll work to clarify this in the next update.

Please let us know if this works or not. Thanks!

I’m not sure which of these finally resolved it, I’m going to comment them out one at a time until I begin getting alerts again, but I placed this list in both the basic and advanced type two whitelist and haven’t received any false positives for a few days now. I’ll reply back with the fix as soon as I pin it down.

“vbm_.?", // Veeam Backup File (Partial)
"vbm.
?”, // Veeam Backup File
“.vbm_.?temp", // Veeam Backup File
"\.vbm
.
?_temp”, // Veeam Backup Temp Files
“.*?temp”, // Veeam Backup Temp Files

It looks like the exception that worked was “vbm.*?”