Veeam's All-Encompassing Malware Detection: Protecting Your Backups at Every Stage

In the ongoing fight against ransomware, companies are becoming increasingly resilient. Reports from Coveware by Veeam highlight a notable decrease in ransomware payments during Q4 of 2024. This progress is credited to several key factors, such as enhanced federal regulations, successful takedowns of major cybercriminal groups, and, most importantly, organizations' improved preparedness and resilience in responding to and recovering from encryption-based malware attacks.
Data protection has undergone significant changes in recent years. Conversations have moved beyond topics like inline vs. post-process deduplication to focus more on security-driven areas such as workload immutability, incident response, and malware detection. Scanning backups for malware was never intended to replace traditional endpoint or extended detection and response tools. Instead, it serves as an additional layer of detection, enhancing a defense-in-depth strategy for identifying malware. Veeam offers the most practical and comprehensive malware scanning capabilities across the entire backup process—before, during, and after. Let’s dive into each use case.

Proactive Threat Assessment

Based on the MITRE ATT&CK framework and data from Coveware by Veeam, we know that threat actors target backups once they gain initial access. Veeam is the only vendor that proactively looks for suspicious behavior before a backup is taken.

• Recon Scanner: Provides proactive alerts on potential threats to your backup server, detecting suspicious events like unfamiliar IPs attempting remote access or compromised accounts trying brute force attacks. It helps identify vulnerabilities and builds a timeline of events to pinpoint clean restore points.
• Observability, Analytics & AI-powered Insights: Detects anomalies in the production environment before a backup, identifying unusual VM patterns, brute force attacks on ESXi and vCenter, and suspicious SSH activity.
• Veeam Incident API: Allows third-party security tools to integrate with Veeam, flagging potential malicious restore points and triggering out-of-band backups for actively encrypted workloads.

Multiple Layers of In-line Detection

Veeam diligently detects and mitigates threats in real-time during backups, surpassing alternatives that require post-process scanning and metadata be sent to their cloud just to identify basic bulk changes.

• IoC Scanner: Validates if harmful tools known to be used by cybercriminals are running on machines and detects newly installed tools, even if they are living off the land tools, that can exfiltrate, encrypt or damage data.
• Entropy Analysis: Scans data blocks for randomness, looking for encrypted data, onion links, and ransom notes.
• File Indexing: Uses a signature-based analysis to scan Veeam's database for known malware extensions, ensuring quick flagging of potential threats.
• Immutable Backups: Ensures backups are recoverable from encrypted cyber attacks with options like Veeam Hardened Repository, Veeam Vault storage, and third-party immutability.

 Ensuring Fast and Clean Recovery

Unfortunately, ransomware wouldn't exist if prevention and detection tools caught everything. Organizations must prepare for the worst but hope for the best. Post-process scanning is crucial to ensure clean data restoration and avoid reinfection if a threat actor evades detection.

• Recon Blast Radius: Identifies the actual scope of a ransomware attack, detecting corrupted or non-encrypted files and building a timeline of events.
• Threat Hunter: Scans restore points for malware using a signature-based antivirus engine, ensuring only clean data is used for recovery.
• YARA Rule-based Scanning: Looks for indicators of compromise, detecting malware that might have been missed by other tools or is a zero-day
• Orchestrated Restore & Cleanroom Capabilities: Creates detailed recovery plans, testing and validating the recovery of critical applications.

Bringing it All Together

These scanning capabilities are most effective when security teams are involved. Forwarding events to the tools and dashboards your security team already uses enables automated processes. Let's put this all together in an example to better visualize how all these components work together:

1. Veeam or an EDR/XDR tool detects suspicious behavior on a machine before or during a backup.
2. Event is forwarded to the organization's SIEM tool.
3. A playbook automatically kicks off that triggers an instant restore of the suspected infected machine to a cleanroom environment for a second opinion from Veeam Threat Hunter.
4. If the scan comes back clean, it marks the event as a false positive.
5. If the scan confirms malware, Recon Blast Radius scans the machines to better understand the timeline and scope of impacted data.
6. Finally, don’t be stuck just recovering from spinning disk backup. Recover from more than just backup once the scope of the attack is known and the threat actor is properly eradicated.

Veeam’s commitment to cybersecurity spans the entire data lifecycle—before, during, and after backup. They work to ensure your data is protected at every stage, minimizing the risk and impact of cyber-attacks while enabling fast and efficient recovery. With its advanced scanning technologies and proactive strategies, Veeam stands out as the most reliable solution for malware detection and recovery. By integrating cutting-edge tools and staying vigilant against evolving threats, Veeam helps organizations stay ahead of cyber risks, keeping their data secure and their operations running smoothly.