• EN
Solved

Checking for ransomware encrypted files?

  • 5 October 2023
  • 3 comments
  • 143 views
S
Userlevel 2

Hi VEEAMers!

 

Finishing deployment of our VEEAM environment with Virtual Lab/Surebackups and found built-in check are pretty basic and pretty much only checking if VM is listening on particular port after restore. It definitely helps to make sure the serve is not corrupted and functional but not giving any validation against if it was hit by ransomeware or not. What does (from my point of view) is if where will be built-in checks if particular file (most commonlt encrypted by ransomeware, VEEAM probably knows better - but I’d do .doc, .pdf, .7z, etc ) can be successfully open. Any improvements in that area in upcoming 12.1?

Or maybe I am wrong and someone can point me out to the fact it has been already done and I just don’t know how to do it?

Cheers,

Alex.

 

icon

Best answer by MicoolPaul 5 October 2023, 06:47

View original

3 comments

Mildur
Userlevel 7
Badge +12

Hi Alex

Today you can write and provide your own test scripts within a SureBackup job. Such script could check the integrity of a file. But opening all files on your fileserver will take to long. Maybe just access a few random files and check for the errorcode.

In our next version, we will bring new features around ransomware detection (announced at VeeamOn 2023). Please register for our upcoming event on Oct 24th to learn more:

https://www.veeam.com/veeamon-resiliency-summit

 

Best,

Fabian

Product Management Analyst @ Veeam Software
MicoolPaul
Userlevel 7
Badge +20

Hi,

 

I get the point you’re making, Veeam are going about the test scenario you’re talking about, from a different angle in 12.1 and I personally believe it’s a better approach. In 12.1 Veeam will leverage Guest OS indexing to check for file types that are ransomware extensions which helps to proactively capture this at backup time, instead of at the SureBackup time.

There’s an argument to be made for sure that only if all your files opened okay then they weren’t encrypted as what if the file extension wasn’t changed, but realistically that would be a HUGE amount of validation effort to script.

 

Out of the box Veeam does do port checks and has a VBS script to check your SQL database instances are all online without any databases in an offline state etc which is good, but that’s where you can then script the scenarios you want to extend this further, bespoke to your environment.

 

If you’ve got a small enough footprint that you could validate each individual files’ integrity in a timely manner, go for it!

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
S
Userlevel 2

Fabian, Paul - you are the legends and really appreaciated for as usual prompt and very detailed answers. Not the first time but always more then I expected. 

Agree with every point, already registered for VeeamOn, but unfortunately will be travelling to US during that time so a small chance will be able to attend, but will see.

Our environments are relatevely small so I had an idea to deploy some “honeypot” files on the servers which I will be checking later. So not all file but just a couple per server - I guess it shouldn’t generate a hude additional load and take too much time. I am of course aware of custom scripts but its all take time and as from my point of view pretty much every customer will benefit of that function I guess VEEAM can take care of adding it as a standard function?

Anyway, I am fine with both provided solutions (will pick Paul’s one as the best for the insite about the upcoming functionality 😜)

Cheers

Alex  

Comment


Terms & Conditions