Restoring specific files after virus/trojan infection?

[carlosbehlau]

Hello Veeam Experts,

a virus/Trojan did encrypt users files on a file server (like *.doc, like *.xls).

After resolving the virus/Trojan infections:
Now we need to restore all the original files to their original file location.

How can I get this done within Veeam?

Restore Guest File Explorer does not seems to have a search function build in and also Veeam Enterprise Manager seems to be able to add all the files, from the search to the restore list (when search *.xls in Veeam Enterprise Manager I am getting 15000 pages as search result - just saying "big" group folder with a lot of excel files ... - would take me ages to select them ...).
Does there exists a better way?

Restore with "keep" option does not seems to work, due to disk resource issues at the moment ... and later working within PowerShell or batch to copy the files to their original locations.
Also restore with "keep" option comes with the negative side effect, restores taking long time, as some group folder are in hundreds GBs ... taking a long time to restore ... while just needing specific file types back ...

Many thanks for your help.

Best regards


Carlos Behlau

[foggy]

Hi Carlos, please review the workaround given in this thread.

[lando_uk]

A workaround from 2013? Seems like file level restores haven't improved whatsoever over the years, its the one thing that lets Veeam down

[foggy]

Well, that's simply not true, since if you open the What's New for any Veeam B&R version since then, you will find a handful of FLR-related additions and improvements in each of them, including performance ones.

[lando_uk]

ok, maybe `whatsoever` was a little harsh, but the OPs question seems pretty straight forward. Where are the file filters and advanced options for FLR? He should be able select *.docx *.xls in the GUI and restore just those to their original locations. There should be options for restoring ACLs only for times when users have trashed their permissions. Having to rely on workarounds using explorer, PowerShell, robocopy isn't good when you're under pressure to restore millions of files in a timely manor.

[foggy]

I agree that there's some room for improvement, but as a long-time community member you definitely know that each feature has its priority (that is defined by the amount of requests and value to the product).

[lando_uk]

Hi Foggy, I feel a lot of us are still using two products because of these FLR limitations. We'd love to save money and use just Veeam, but some of the features I mentioned force us into still using that 2nd product. We basically backup our large file servers twice, once at the block level with Veeam and once using old fashioned agent based product just because it's much better at restoring a million small files. Every year when it comes to license renewal I have to explain why we need two products to the CIO.

[zuldan]

@lando_uk, is there any reason why you can't change your restore procedure slightly. You could 'Instant Restore' the VM then just use Windows standard file search to grab the files you want? You could write 1 liner Powershell script to search the files you need which is going to be more Powerful than what any other product can offer.

[foggy]

The mentioned workaround implies just that, even without the need for IR, just starting FLR session to mount the backup. But as Mark's reasonably noted, that's still a more manual process.

[lando_uk]

@lando_uk, is there any reason why you can't change your restore procedure slightly. You could 'Instant Restore' the VM then just use Windows standard file search to grab the files you want? You could write 1 liner Powershell script to search the files you need which is going to be more Powerful than what any other product can offer.

Yes I could do that. But why should I? I really need a easy process that 1st line (service desk) can use to restore files without the job ever getting to me. 1st line cant fire up a restored VM on the same network, using a new name, new IP address etc , that's crazy.

These mass encryptions aren't going away, you cant protect yourself from users clicking on things they shouldn't. The only thing you can do is make the recovery BAU, easy, quick and reliable.

[hoFFy]

These mass encryptions aren't going away, you cant protect yourself from users clicking on things they shouldn't. The only thing you can do is make the recovery BAU, easy, quick and reliable.

You can protect your environment with a Russian AV-product from Kasp... which has an anti-cryptor module for servers: it detects when files are being encrypted and then disconnects the encrypting client. This way you'll loose only 1-2 files until the AV gets active. Works like a Charme at a lot of our customers.

[cbc-tgschultz]

The mentioned workaround implies just that, even without the need for IR, just starting FLR session to mount the backup. But as Mark's reasonably noted, that's still a more manual process.

If you use robocopy to do it, it isn't that bad at all.

Code: Select all

robocopy <VEEAM FLR MOUNT> <DESTINATION ROOT> /COPYALL /S *.docx *.xlsx *.doc *.xls

[ETJ]

@ carlosbehlau...it is clear that some of us have been asking for this option for quite some time now in lieu of having to rely on workarounds dependent on 3rd party apps. For what it's worth, you can cast your vote here: veeam-backup-replication-f2/recovering- ... 24899.html