The malware detection methods in this module are complementary to one another, offering defense-in-depth through diverse techniques that identify and alert on malware both before and after a potential recovery scenario.
Guest Indexing Data Scan
Guest Indexing Data Scan is a feature in Veeam Backup & Replication that enhances malware detection by analyzing file system activity during backup jobs.
Here's how it works:
-
Step 1
Backup Job Completion
When a backup job with guest file system indexing enabled is completed, the indexing data is saved in the VBRCatalog folder on the backup server.
-
Step 2
Notification
The Veeam Guest Catalog Service notifies the Veeam Data Analyzer Service about new data that needs to be scanned.
-
Step 3
Data Analysis
The Veeam Data Analyzer Service checks the last scan results and initiates a new guest indexing data scan if necessary.
-
Step 4
Malware Detection
The scan detects known suspicious files and extensions, renamed or deleted files, and other malware activities.
-
Step 5
Indicators of Compromise (IoC) Detection
The scan also includes detection of Indicators of Compromise (IoCs), such as tools commonly used by hackers to breach environments to exfiltrate. This involves an entropy AI/ML scan to look for suspicious changes in the machine being protected such as unusual network traffic, unusual user or system processes, suspicious configuration modifications, unexpected software installations or updates among many other indicators.
Inline Scan
The Inline Scan feature in Veeam Backup & Replication enhances malware detection by analyzing data blocks during backup jobs using inline entropy analysis.
Malware Detection Capabilities
Inline Scan can detect encrypted files by triggering malware detection events if the amount of encrypted data exceeds sensitivity limits. It also identifies text artifacts such as V3 onion addresses and ransomware notes from specific malware families like Medusa and Cl0p. This proactive detection helps maintain the security and integrity of backup data.
How Inline Scan Works
During a backup job, Veeam analyzes metadata of data blocks and saves ransomware-related data in temporary files. After the backup completes, this data is stored in the VBRCatalog folder on the backup server. The Veeam Guest Catalog Service then notifies the Veeam Data Analyzer Service about the new data. The Data Analyzer Service checks previous scan results and initiates new scans if needed. It compares new restore points with the earliest one created within the last 25 hours or the nearest restore point within 30 days. If malware activity is detected, a detection event is created, and suspicious objects are marked.
Integrating YARA with Veeam
Integrating YARA rules into Veeam Backup & Replication enhances its malware detection capabilities. Here’s how the integration works:
- Create YARA Rules: Develop YARA rules to identify patterns associated with known malware.
-
Import YARA Rules: Import these rules into the Veeam Backup & Replication environment using the management console.
-
Scan Backup Files: Veeam uses the imported YARA rules to scan backup files for signs of malware.
-
Analyze Results: Veeam generates detailed reports on the scan results, highlighting any detected threats and providing insights into the nature of the malware.
Integrating YARA rules into Veeam Backup & Replication significantly enhances malware detection and analysis. This proactive approach helps safeguard critical data, ensuring that backup environments remain secure and uncompromised.