Comprehensive data protection for all workloads
Post Reply
AlbieNorth
Influencer
Posts: 15
Liked: 1 time
Joined: Dec 04, 2014 4:59 pm
Full Name: Albert Gostick

Built-in ransomware mitigation?

Post by AlbieNorth » Apr 09, 2019 5:16 pm

Hi,
A customer of mine has indicated that the new(er) version of Veeam contains some "built-in ransomware" detection. Does the newer version of B & R contain some feature to detect if something is trying to encrypt backup files and then block it?

This came up as I mentioned to them that their backup servers should not be joined to their domain (which they are) and that they should be rebuilt to be non-domain-joined servers (so that different credentials are used to log into them to manage them etc.). They said that "that does not matter any more as Veeam now has built in ransomware detection". I have not seen a paper on this so cannot confirm it. Note that I do not work with Veeam on an everyday basis so maybe I am just out of the loop about it.

Thanks

P.Tide
Product Manager
Posts: 5189
Liked: 448 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Built-in ransomware mitigation?

Post by P.Tide » Apr 09, 2019 5:38 pm

Hi,

I guess they were referring to Secure Restore which is not exactly the thing they were describing : )

You can also detect malicious activity using Veeam ONE, please refer to this blog post.

Thanks

AlbieNorth
Influencer
Posts: 15
Liked: 1 time
Joined: Dec 04, 2014 4:59 pm
Full Name: Albert Gostick

Re: Built-in ransomware mitigation?

Post by AlbieNorth » Apr 10, 2019 5:35 pm

Thanks. Link to blog post does not work - removed?

foggy
Veeam Software
Posts: 18037
Liked: 1533 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Built-in ransomware mitigation?

Post by foggy » Apr 10, 2019 6:06 pm

Fixed.

AlbieNorth
Influencer
Posts: 15
Liked: 1 time
Joined: Dec 04, 2014 4:59 pm
Full Name: Albert Gostick

Re: Built-in ransomware mitigation?

Post by AlbieNorth » Apr 13, 2019 1:44 am

So my quick read of this is that you would use Veeam One to alert if there was something like a high level of cpu usage (sorry, I am not the main IT person for the Veeam setup).

I think what the other IT guy was conveying is that somehow Veeam had built a built in process to *prevent* the encryption of files not just alert to them. I am particularly concerned in the actual backup files being encrypted because the veeam backup servers are joined to the domain, which I am trying to argue should not be done. I think if this had been thought of a few years ago it would have been done right from the start but now that everything is set up and working, they are reluctant to rebuild their setup with servers removed from the domain.

So that brings up another question: would they indeed have to rebuild the servers from scratch if they were pulled from the domain - when poking around inside the setup, I noticed that Veeam stores the credentials used to connect to the servers to be backed up so maybe if they just un-join to the domain, might the backups continue to operate? Of course, they would not be logging into the server using a domain account but even if they have to start using a local account, might the existing software not continue to work?

Maybe someone could jump in here who has tried to pull a domain-joined Veeam server from the domain - did it work or did you end up having to rebuild the server from scratch after all?

P.Tide
Product Manager
Posts: 5189
Liked: 448 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Built-in ransomware mitigation?

Post by P.Tide » Apr 16, 2019 10:25 am 1 person likes this post

I think what the other IT guy was conveying is that somehow Veeam had built a built in process to *prevent* the encryption of files not just alert to them.
Could you ask them to point to that functionality description in our User Guide? I would love to read it : )

Another argument against having Veeam on domain is that kind of situations when your AD VM goes down, and you're not able to log-in into your Veeam console anymore in order to perform AD restore. Even if you AD is a physical machine it is still certainly an undesired situation in case some VM decides to go south.
Maybe someone could jump in here who has tried to pull a domain-joined Veeam server from the domain - did it work or did you end up having to rebuild the server from scratch after all?
I just pulled my lab-based VBR installation out of domain and it works just fine after reboot with the only difference that I had to use local admin to log-in and start VBR console. Provided that Veeam services still use local system account (i.e. nobody has changed them to domain admin account), it should be fine.

Thanks!

AlbieNorth
Influencer
Posts: 15
Liked: 1 time
Joined: Dec 04, 2014 4:59 pm
Full Name: Albert Gostick

Re: Built-in ransomware mitigation?

Post by AlbieNorth » Apr 22, 2019 3:19 pm

Thanks a lot...all helpful.

Post Reply

Who is online

Users browsing this forum: Google [Bot], its-user01, Majestic-12 [Bot] and 49 guests