I've upgraded to 12.1 and have a restore point that is showing malware as detected. The detection event details the type of malware that was detected and I am trying to check for a clear restore point using the scan backup. I have provided my own YARA file in the scan settings which is specific to the type of malware found however when the SureBackup job runs it eventually fails with the message:
error scanning: <file path>: could not open file: Operation did not complete successfully because the file contains a virus or potentially unwanted software. (error code: 0x01)
I also noticed that Windows defender on the mount server is alerting for these files in the virus & threat protection section. Is the antivirus somehow interfering with the scan process? I'm reluctant to turn it off in case the mounted files cause an infection to the mount server.
It could happen with multiple activities on the mount server actually not only YARA scan. If pre-installed AV software finds the suspicious file in the mounted content it blocks access to such content for all the activities.
I also noticed that Windows defender on the mount server is alerting for these files in the virus & threat protection section
Can you share the files / extensions that were blocked by MS Defender? Thank you!
Hint: for troubleshooting, you can use Scan Backup functionality on this particular VM. It's much easier to use for ad-hoc scans. and this way you won't have to mess with SureBackup until you get to the bottom of the issue.
Thanks Gostev. I am running a scan backup but just made a typo before. It does appear though that a scan backup runs with a SureBackup session type which is probably where the mix up happened.
Dima P - there are some .txt file extensions as well as some .wnry that were picked up. This is a sandboxed testing environment so no production systems live here but it would be nice all the same to see the scan backup functionality working.
Update - I tried running a scan using the antivirus engine instead and this time it successfully detected the threat and marked the machine as infected. What else can I do to troubleshoot the YARA rule method to see what exactly is causing it to fail?
You can apply Windows Defender exclusion on C:\VeeamFLR folder(on a Mount Server) and run the Scan Backup again from VBR to see if it is the component responsible for YARA intervention.
We also have a great KB1999 with recommended AV exclusions in general, as it is quite common for AV to treat backup software activities as suspicious.
I was posting here yesterday but looks like I forgot to click Post. Anyway, I was saying that the error you get does not look like it is coming from Veeam but rather is passed to Veeam by the OS which is unable to perform a basic I/O operation. Looks like Egor thinks this is due to the real-time protection of Windows Defender. If not then it is best you engage support for further troubleshooting, as guessing over forum posts is always the least efficient method of finding the root cause.
Please add the yara64.exe process in Microsoft Defender Antivirus exclusions on the mount host. When you perform a scan with an Antivirus the Defender scans the backup content and flags found threats, however, when you are using the Yara scanner the Defender will stay on top of the Yara service and block it as soon as the service hits the malicious file. Thanks!