We also have malware protection active here and often there is simply feedback that pushes you more or less in the direction of YARA. Because there are no proper log file entries. Current case - an alleged ‘onion link’.
As our Veeam service provider here was very enthusiastic about the topic, but didn't say very much and I don't have any training material here, this is more of a red flag for me. I was referred to the site [ https://github.com/Yara-Rules/rules/tree/master/malware ] and there are a lot of nice entries there. But what do I do with them - apart from downloading them all and putting them in the right folder? Should I fire every single YARA rule at the backups if a server is suspected of being infected? I find that a little impractical at this point. In my current case, I have created my own file according to the tips here in the forum, similar to this one: post509261.html#p509261 . I'm curious to see what the rule will find (certainly nothing again) - the scan is currently only running for 27 minutes..
Where do you get the Yara rules from and isn't there something compact here? How do you decide which rule to apply in a suspected case?
Just a side question:
Does such possible malware also go out as a message in the direction of Syslog/SIEM? As we send this to a service provider and I have considered switching on the transport in Veeam as well, I would find that mega uncool with the false alarms. Because the external ones are sure to immediately go into headless chicken mode and start demanding clarification.
-
- Enthusiast
- Posts: 59
- Liked: 5 times
- Joined: Feb 01, 2022 10:57 am
- Full Name: David Springer
- Contact:
-
- Enthusiast
- Posts: 59
- Liked: 5 times
- Joined: Feb 01, 2022 10:57 am
- Full Name: David Springer
- Contact:
Re: Slightly tiresome topic: YARA
Update: Was an indirect hit, as the user had a browser plugin from Lavasoft, which had web addresses to be excluded in plain text in a file - including *.Onion
-
- Product Manager
- Posts: 14785
- Liked: 1722 times
- Joined: Feb 04, 2013 2:07 pm
- Full Name: Dmitry Popov
- Location: Prague
- Contact:
Re: Slightly tiresome topic: YARA
Hello David,
YARA is great when you know what you are looking for, onion link is a good example. Generally, I'd rely on Antivirus scan capabilities since AV scans for any known signature instead of some particular one.Should I fire every single YARA rule at the backups if a server is suspected of being infected?
If you local security team is aware of possible infection they may investigate it within the backup files with the help of YARA rule tailored to look for specific patters / names / hashes / files relevant to that specific threat. For instance you can get a decent YARA rules for the most recent ransomware from U.S. Department of Homeland Security. Here is a good blogpost from fellow Veeam folks: Mastering YARA Rules: Malware Detection and AnalysisWhere do you get the Yara rules from and isn't there something compact here? How do you decide which rule to apply in a suspected case?
Sure. Syslog integration is aligned with all Windows events Veeam B&R creates: take a look at Event Reference > Malware Detection > Malware Activity DetectedDoes such possible malware also go out as a message in the direction of Syslog/SIEM?
Who is online
Users browsing this forum: Baidu [Spider], renatorichina and 135 guests