Issue ext://one-drive-backup/server: Microsoft OneDrive returns the error: Malware detected

[HoracioS]

Hello,

I'm using OneDrive extensions, but randomly, sometimes, I got different errors. Now the latest is:
Unable to get dumps list: Transport error: Extension transport: ext://one-drive-backup/server: Microsoft OneDrive returns the error: Malware detected
- If I'm using the GoogleDrive Extension, it's works
- If I'm trying again with OneDrive Extension, it's works...

Do you experienced something similar?

Best regards,
Horacio

 

[Bobbbb]

I also sometimes get the "Malware detected" message generated by the OneDrive backup extension. No idea what to do with that since there are no details.

 

[IgorG]

Looks like it is Office 365 Antivirus and Malware Protection system Office 365 Malware and Ransomware Protection
And it seems can't be disabled.

 

[Bobbbb]

I just wish it would tell me what was detected in which file, so I could do something about it.

I assume OneDrive is unzipping the Plesk backups that are being stored on OneDrive and detecting something. I've used ImunifyAV to scan all hosted websites but nothing is detected.

Also, when I receive the error does that mean the backup was, or was not, successfully stored on OneDrive. In other words, is the "virus detected" message an error, or just informative?

 

[trialotto]

@Bobbbb and @HoracioS

The essence of your problems is not something to worry about : Microsoft is just securing OneDrive with a very tight Antivirus and Malware scan.

The security is not too tight - there actually is something somewhere in the backup file that does ring a bell and activates the Microsoft security system.

As a result, the Microsoft security system will not allow any access to the infected file(s).

Now, that causes an issue with Plesk backup files, which are essentially big compressed files (i.e. zip and/or tar).

The endresult is that at least one backup file is created that contains a virus or malware that triggers the Microsoft security system that, on it's turn, blocks access.

In the case of OneDrive : multiple backup files are created, but only infected backup files are being blocked.

In short, there are two issues here :

1) Plesk creating a big compressed file at backup time : without compression, one would directly know the infected file and one can take appropriate action,

2) Microsoft security systems doing a thorough scan on a per-file base, even if the files are compressed.

The second issue is minor, it is not really an inconvenience - it is a good thing, with an inconvenient endresult due to the backup structure of Plesk : big compressed files.

In my humble opinion, Plesk Team should reconsider the backup structure - for many reasons.

I hope the above explains a bit ........ and also explains that you have some notifications that are not really a problem.

Nevertheless, to answer the question

Also, when I receive the error does that mean the backup was, or was not, successfully stored on OneDrive. In other words, is the "virus detected" message an error, or just informative?

I have to state that :

- yes, backup is succesfully made and stored in OneDrive, (and)
- yes, the virus related messages are to a high degree informatie, (and)

However, the one question that has not been asked, being

"does the backup actually have a function, when these error messages are presented?"

has the unfortunate answer :

NO, you can not or cannot easily retrieve or restore the backup!

That actually is the reason why I am having the humble opinion that Plesk Team should reconsider the backup structure, since this problem is not limited to OneDrive.

Again, I hope the above helps a tiny bit.

Regards............

PS Please note that if you have direct access to OneDrive and/or the storage accounts, it is possible to retrieve the backup files....... but that is not an easy work-around.

 

[Bobbbb]

I still receive this error. Should I just cancel paying for the Plesk Microsoft OneDrive extension, since, apparently, the backups created, are useless, when this error occurs?

 

[Bobbbb]

I'd love to get an official position on this from Plesk. If all of my OneDrive backups are useless, due to this, there needs to be a solution.

 

[IgorG]

@Bobbbb have you asked Plesk Support Team assistance?

 

[Bobbbb]

@Bobbbb have you asked Plesk Support Team assistance?

No, but I will open a ticket with my dedicated server provider, today, referencing this thread.

 

[Bobbbb]

Additionally, it now occurs to me...

I have the option to protect Plesk backups with a password turned on, with a password set. Wouldn't this mean the backup files are encrypted, so that OneDrive would not be able to scan the files, within the backup, for malware? That suggests, to me, that OneDrive is detecting random strings, in the encrypted data, as malware.

Am I thinking about this properly? Would it be logical to open a bug report, with Microsoft, for frequent false positives detected in the encrypted archive files?

 

[Bobbbb]

@Bobbbb have you asked Plesk Support Team assistance?

Opening a ticket with Plesk, through my provider, is not going to be as easy as I hoped. Especially since I cannot duplicate the issue on demand. That's why I came here, first.

In order to open a Plesk ticket, we'll need step-by-step instructions to duplicate the issue, as well as any login information required to do so, to pass on to them. Additionally, we need your permission for them in this ticket to access the server at the root level so they can perform their work.

 

[trialotto]

Additionally, it now occurs to me...

I have the option to protect Plesk backups with a password turned on, with a password set. Wouldn't this mean the backup files are encrypted, so that OneDrive would not be able to scan the files, within the backup, for malware? That suggests, to me, that OneDrive is detecting random strings, in the encrypted data, as malware.

Am I thinking about this properly? Would it be logical to open a bug report, with Microsoft, for frequent false positives detected in the encrypted archive files?

@Bobbbb

It is not recommended at all to use password protected backups for any backup that is encrypted in remote storage, such as OneDrive amongst others.

It is not necessary (read: double encryption) and it is dangerous (read: double encryption can compromise files when decrypted).

Let's return to your questions.

First of all, it is NOT very likely that "that OneDrive is detecting random strings, in the encrypted data, as malware."

After all, OneDrive is encrypting when storing and/or retrieving data to the cloud based storage - data is encrypted in storage, but not elsewhere.

The above simply implies that any password protected backup is simply some type of ordinary data file that does or does not contain malware.

OneDrive remote storage simply runs a malware scan as if there is no encryption present.

The above simply implies either that a password protected backup is compromised with malware (detected on OneDrive remote storage) or that the process of password protection of the backup (at the level of the Plesk instance) creates encrypted files and/or strings that seem to be malware.

The essence of the whole question is this : is the process of password protection able to create backup files that look like malware for malware scanners?

The answer is : no.

It would be very difficult to "create malware" with encryption - this could only occur if something very very very very odd happens.

In short, it is very likely that your backup file actually contains malware.

You should verify this by creating a backup to OneDrive without any password protection - if the malware notification still exists, malware is present in the data.

Hope the above helps and explains a bit.

Kind regards........

 

[mow]

Doesn't the password protection only encrypt Plesk's internal and server config and not the content of the subscriptions?

A subscription backup could very well contain some infected files in the mail folders that DrWeb didn't detect yet.