So Andy you did Magic tricks some time ago right? Can you tell me how security and ransomeware scanning is done by veeam with a card trick?
Im a little rusty with it, but sure Challenge accepted, I will give it a try…
Can you tell me how security and ransomware scanning is done by veeam?
Sure
So lets do an abstraction. So we’ve got your files. Let’s think about 52 files inside a card deck.
Each card in this deck, represents your workload, your database, your VMs, your server, your fileservers, your hardware servers.
Each card is one of them and of course they all have a lot of data inside of them.
Now one of your files, one of your file servers is getting corrupted. So let’s – I don’t know – suggest this one here. So the eight of um spades is getting corrupted. So your data looks normal and of course you have got in your environment in your environment you have got a lot of scanning tools. So you’ve got your XDR, you’ve got a SOC and SIEM and different solutions. EDR and you scan the whole environment, but the new pattern of this attack is not known from your security solutions yet and you just infected a small amount amount.
So it the scan will not alert you in any way. So it stays clean in your environment. the eight of spades in this case. So your environment is as before with this cryptomized file with this malware attack and you will not get noticed of it.
So after a while the backup is running and now the pattern is known because there were some other customers some in some other countries and they did get this malicious attack and now veeam does have this kind of information and when the backup is running he will see that there is something kind of strange some workload which doesn’t look normal to you.
So he will alert you by marking it. So it’s marked in your whole backup environment and in in some way it just tells you please have a look at this kind of workload. It looks different than the other ones.
The eight of spades is perhaps corrupted in any way. So you will have a look and perhaps clean it or leave it on the system and just say oh it’s okay or just delete it in any way.
So that’s the how that is working and of course it makes sense because after a while you get more information about more malicious attacks but there are also some files which are quite different.
So let’s suppose we arrange here to get a random file. So like this one here uh in our uh case it’s the ace of spades and this file is different because it’s not cryptomized it’s not encrypted in any way.
It doesn’t have a high entroposy, but it looks different because it is an SSH client or team viewer client or a key locker in any way. And it was installed after all the systems were clean and now it looks suspicious.
But it’s a normal kind of software. So your normal alerting engine will not run here. But if you had a learning mode is on and you know that before everything was green and now some kind of suspicious software or pattern is installed um then it would be nice to get an alert too and that is what is veeam doing here as well.
It’s called indicator of compromise and it’s not a malware attack but it is still an alert which will be mentioned here the ace of space and to get your eyes on it and have a look at it.
So you can now scan the client scan the workload have a look if it is a normal thing an admin installed it or if it is not wanted and should be removed from your whole infrastructure and now you are secure again.
