FLR mount access permissions

[mdiver]

We would like to do automated security scans in through mounting backups and scanning c:\veeamflr with a specific tool.
Problem here is, that depending on the NTFS permissions of the source workload we get "You don't currently have permissions to access this folder" for most of the data folders.
It's not viable to take over access here, just because that would take way to long.
What would be the best way to circumvent the rights problem here?

Two ideas:
- run the scan as "local system"
- run the scan as "backup operator" and with specific backup commands

Is there an easier way?
How e.g. does ThreatHunter do that, as it basically does it in the same way?

Thanks,
Mike

[Egor Yakovlev]

Hi Mike,

Run under system account is the way to go, that is what Veeam Threat Hunter does.

Side note - you mentioned a 3rd party tool, but do you use our XML-integration approach here(as in Veeam triggers your tool and waits for reply codes) or only mount is done here by Veeam, whereas a scan is triggered completely outside of the product boundaries?

[mdiver]

Thanks, Egor. Very helpful.
Actually, we're not sure right now. We have to PoC first. I did SureBackup with custom scripts several times already. Should be same concept.
Final goal could even be to take positives from ThreatHunter programmatically and cross check with some tool for deep analysis to fight false positives.

[Egor Yakovlev]

I remember several cases like this were roaming public blogs and Veeam Community hub - people used various methods available in Veeam B&R to expose backed up data to external software. Michael Cade was playing with NAS Instant Restore to feed massive NAS backups to some analytics software that was looking for pictures of cats and credit cards in his backups. Also great use case for Veeam Data Integration API (disk publishing) - because backup is not really mounted, but rather presented directly to the target machine in a native disk format and just seen as local disk.