Does Veeam grantees the integrity of restore points?

[samifarhat]

Hi all,
Due to SoX requirement, we have been asked an interesting question.
What if someone replaces a restore point data by another restore point (Physically remove the files and replace them by other files) ?
Does Veeam have a repository of the checksums of the stored restore points ?

Thanks

[Shestakov]

Hi and welcome to the community!
If you physically change a file from backup chain, restore points after that backup will not be restorable, however rest of the chain will remain restorable.
Restore points info contained in metadata.
Thanks!

[samifarhat]

Hi Shestakov,
Thanks for your reply.
I just need an answer 'understandable' by the SoX auditors like: Veeam stores metadata information about the restore points, and thus, if someone replaces the restore points files, it will detect that behavior and will not restore data (Or mark the restore point as broken or corrupted). Is this documented anywhere ?.
I really appreciate your help,
Thanks
Samir Farhat

[Shestakov]

Right, absence of the restore point will be defined either during restore or synthetic transformation (if any is scheduled), whatever happens first.
The best source of such information is the product user guide.

[samifarhat]

Thanks. So to be simple : During restore operation, Veeam checks the consistency of the restore point, by making a check against the metdata information.

[Shestakov]

Correct, Backups Server uses metadata to take data blocks from several backup files and if some file is missing restore will not happen.
By the way, if restore point is deleted not manually but via Backup Console, corresponding event is to be logged. And if you use Veeam ONE, you may customize alarm to be notified immediately, not waiting for restore or synthetic operation.

[nismoau]

You can use SureBackup to test the integrity of your backups at a point-in-time.
https://helpcenter.veeam.com/docs/backu ... tml?ver=95

If you're worried about someone replacing backup files with other data, just make sure your target repositories are locked down via NTFS permissions to only those who know what they're doing!

[npitacco]

As someone who has a very similar regulatory requirement, and very interested in the subject of data integrity, I would like a more detailed answer
For example, we have to evaluate risks for 5 cases:
Omission: This would be the case if the restore point is not created because the job didn't run and we can discard this case, there is nothing Veeam can do to prevent this, monitoring backup execution is an IT task
Deletion & Destruction: Again, I believe that Veem cannot prevent this, you need proper permission control and auditing to address this risk
Error: Something went wrong during the backup, and was not detected immediately. I believe that the option "Perform backup files health check" and SureBackup can address this case
Alteration : This is the subject of the original question. It is true that restricting access to the repository may mitigate the issue, but the problem is also with deliberated alteration of data by people with the correct access level (bad guys can be internal IT people).
The only mention I remember about checksum in Veeam is about the data block checksum in the backup file, but I believe this is used to assure internal file integrity, not that the file has not been altered or replaced.
I believe that encryption would have the side effect to prevent this case, but I am not sure.
Anyone already addressed this or want to correct my list?

Thanks

[tdewin]

On the omission part, you might consider Veeam One which is part of the availability suite. It has some good reports concerning missed backups but I always loved the protected vm report:
https://helpcenter.veeam.com/docs/one/r ... tml?ver=95

As for the checksums, during surebackup, you can ask to validate the checksums explictely (backup file integrity check):
https://helpcenter.veeam.com/docs/backu ... tml?ver=95

There is also a small tool that allow you to execute the checksum validation manually:
https://www.veeam.com/kb2086
https://www.virtualtothecore.com/en/vee ... kup-files/ (includes some screenshots)

[npitacco]

I inherited VeeamOne with an already existing infrastructure, and I appreciate it more every day
About the checksum, I have read "When writing each data block to the disk, we also write a checksum of this block to the designated area of the backup file (actually, we write the checksum twice for redundancy). When restoring, we verify the data obtained from disk against that checksum." in an older post.
This allows to detect errors., but I am curious about deliberate manipulation/alteration of the backup file. I am certain they are not likely, but are they "theoretically" possible?

Thanks

[Shestakov]

Theoretically everything is possible. There are also hardware errors, network errors etc, but with Surebackup and checksum you will be much more protected.

[Gostev]

Protection against deliberate modification of the backup file is very simple: you just enable backup file encryption, and this will make it impossible to modify without rendering one unusable.

[npitacco]

Thank you very much.
I have now answer for all possible questions from inspectors