I have recently updated Veeam B&R to v12.1 and am interested in the Malware functionality
I have enabled "inline entropy analysis". Is there any additional configuration or will this identify Malware if found during a backup? Does it need to run for an extended period to analyse the files?
I had tried a scan using what I thought were valid YARA files but when I investigated the actual files saw that they were just examples and not actually doing anything.
Are there any examples of YARA files that Veeam have that can be edited as necessary?
Thanks
-
- Veteran
- Posts: 262
- Liked: 22 times
- Joined: May 22, 2015 7:16 am
- Full Name: Paul
- Contact:
-
- Product Manager
- Posts: 9353
- Liked: 2486 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Malware scanning with v12.1
Hi Paul
With inline entropy analysis, we can detect the following malware activity:
- Encrypted files
- Onion links
- Ransom notes
But we cannot detect sleeping malware by it. We only get active after the Malware has started "doing something".
We provide some sample files on the backup server: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules
And we also provide YARA rules for the Top10 Ransomware threads in our Veeam Community boards:
https://community.veeam.com/yara-and-sc ... reats-6267
If you like to check out external webpages, you may find multiple rules and examples on github:
https://github.com/Yara-Rules/rules
Best,
Fabian
No additional configuration required. After enabling it, the next backup session will "rescan" all blocks from the source machine to create a <baseline documentation> of machine volumes. Subsequent runs will then compare what has changed compared to the baseline. The exact process is documented in our user guide: https://helpcenter.veeam.com/docs/backu ... w-it-worksI have enabled "inline entropy analysis". Is there any additional configuration or will this identify Malware if found during a backup? Does it need to run for an extended period to analyse the files?
With inline entropy analysis, we can detect the following malware activity:
- Encrypted files
- Onion links
- Ransom notes
But we cannot detect sleeping malware by it. We only get active after the Malware has started "doing something".
YARA rules are useful if you know what to look for. As an example, your security team has investigated an attack and confirmed which Malware was responsible for it. Then you can use YARA rules to scan your backups for this exact type of Malware.I had tried a scan using what I thought were valid YARA files but when I investigated the actual files saw that they were just examples and not actually doing anything.
Are there any examples of YARA files that Veeam have that can be edited as necessary?
We provide some sample files on the backup server: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules
And we also provide YARA rules for the Top10 Ransomware threads in our Veeam Community boards:
https://community.veeam.com/yara-and-sc ... reats-6267
If you like to check out external webpages, you may find multiple rules and examples on github:
https://github.com/Yara-Rules/rules
Best,
Fabian
Product Management Analyst @ Veeam Software
-
- Veteran
- Posts: 262
- Liked: 22 times
- Joined: May 22, 2015 7:16 am
- Full Name: Paul
- Contact:
Re: Malware scanning with v12.1
Excellent
Thank you for the detailed information
Thank you for the detailed information
Who is online
Users browsing this forum: Gostev and 408 guests