Comprehensive data protection for all workloads
Post Reply
dspringer
Enthusiast
Posts: 59
Liked: 5 times
Joined: Feb 01, 2022 10:57 am
Full Name: David Springer
Contact:

Slightly tiresome topic: YARA

Post by dspringer »

We also have malware protection active here and often there is simply feedback that pushes you more or less in the direction of YARA. Because there are no proper log file entries. Current case - an alleged ‘onion link’.

As our Veeam service provider here was very enthusiastic about the topic, but didn't say very much and I don't have any training material here, this is more of a red flag for me. I was referred to the site [ https://github.com/Yara-Rules/rules/tree/master/malware ] and there are a lot of nice entries there. But what do I do with them - apart from downloading them all and putting them in the right folder? Should I fire every single YARA rule at the backups if a server is suspected of being infected? I find that a little impractical at this point. In my current case, I have created my own file according to the tips here in the forum, similar to this one: post509261.html#p509261 . I'm curious to see what the rule will find (certainly nothing again) - the scan is currently only running for 27 minutes..

Where do you get the Yara rules from and isn't there something compact here? How do you decide which rule to apply in a suspected case?

Just a side question:
Does such possible malware also go out as a message in the direction of Syslog/SIEM? As we send this to a service provider and I have considered switching on the transport in Veeam as well, I would find that mega uncool with the false alarms. Because the external ones are sure to immediately go into headless chicken mode and start demanding clarification.
dspringer
Enthusiast
Posts: 59
Liked: 5 times
Joined: Feb 01, 2022 10:57 am
Full Name: David Springer
Contact:

Re: Slightly tiresome topic: YARA

Post by dspringer » 2 people like this post

Update: Was an indirect hit, as the user had a browser plugin from Lavasoft, which had web addresses to be excluded in plain text in a file - including *.Onion
Dima P.
Product Manager
Posts: 14785
Liked: 1722 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Slightly tiresome topic: YARA

Post by Dima P. »

Hello David,
Should I fire every single YARA rule at the backups if a server is suspected of being infected?
YARA is great when you know what you are looking for, onion link is a good example. Generally, I'd rely on Antivirus scan capabilities since AV scans for any known signature instead of some particular one.
Where do you get the Yara rules from and isn't there something compact here? How do you decide which rule to apply in a suspected case?
If you local security team is aware of possible infection they may investigate it within the backup files with the help of YARA rule tailored to look for specific patters / names / hashes / files relevant to that specific threat. For instance you can get a decent YARA rules for the most recent ransomware from U.S. Department of Homeland Security. Here is a good blogpost from fellow Veeam folks: Mastering YARA Rules: Malware Detection and Analysis
Does such possible malware also go out as a message in the direction of Syslog/SIEM?
Sure. Syslog integration is aligned with all Windows events Veeam B&R creates: take a look at Event Reference > Malware Detection > Malware Activity Detected
Post Reply

Who is online

Users browsing this forum: Baidu [Spider], renatorichina and 135 guests