Hi Ryoma,
Check the VeeamBackup event log under Application and Services Logs in event viewer, it will post with Event Id 41600.
Here's an example of an event (replaced server names with generic entries):
Check the VeeamBackup event log under Application and Services Logs in event viewer, it will post with Event Id 41600.
Here's an example of an event (replaced server names with generic entries):
Code:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">- <System><Provider Name="Veeam MP"/><EventID Qualifiers="0">41600</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime="2026-05-14T20:05:21.1823719Z"/><EventRecordID>287036</EventRecordID><Correlation/><Execution ProcessID="3460" ThreadID="0"/><Channel>Veeam Backup</Channel><Computer>{BACKUP SERVER}</Computer><Security/></System>- <EventData><Data>05/14/2026 20:02:24</Data><Data>7509ce0c-8e75-487b-8c99-19b1c6e6920d</Data><Data>RansomwareExtensions</Data><Data>SYSTEM</Data><Data><ModifiedUserInfo fullName="SYSTEM" loginType="4"/></Data><Data>SOME VM</Data><Data>05/14/2026 20:05:21</Data><Data/><Data/><Data/><Data/><Data/><Data/><Data/><Data/><Data/><Data>{BACKUP SERVER}</Data><Data>13.0.1.2067</Data><Data>1</Data><Data>Locations of suspicious files can be found on the backup server at C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\suspicious_files_26-05-14.log Potential malware activity detected: *-decrypt.txt: 1 for OIB: 7509ce0c-8e75-487b-8c99-19b1c6e6920d (SOME VM), rule: Known malware extension by user: SYSTEM.</Data></EventData></Event>Statistics: Posted by david.domask — May 15, 2026 2:15 pm
