Skip to main content

I get the difference between RI and FI. The question is, if I’m using RI, can I do a full restore at a point in time in the past? As in, I walk in this morning and all my servers have been crypto. Obviously, the last backup (full) is useless. Can I ask for a full restore or instant recovery as of 2 days ago?

I get the difference between RI and FI. The question is, if I’m using RI, can I do a full restore at a point in time in the past? As in, I walk in this morning and all my servers have been crypto. Obviously, the last backup (full) is useless. Can I ask for a full restore or instant recovery as of 2 days ago?

Hi @Serge.Adam1060 

 

Yes, of course.

You can choose the required restore point to restore with both methods.

If you have configured 7 restore points to keep, you will be able to restore each one of this 7 days.

But if the attacker has deleted or encrypted the full backup file. you have nothing. Veeam will not be able to do the restore from a vrb file alone. It needs the VBK file with the content readable.


So the safest would be a Forward Incremental right? 


So the safest would be a Forward Incremental right? 

Not really. It’s the same for forward incremental and reverse incremental.

You need the fullbackup file todo the restore of a day with only an incremental backup.

 

If you lose the vbk file (hacker deleted or modified it), then you cannot do a restore from an incremental backup file. The incremental Backup file is depending on the fullbackup file.

 

Safest is to have an airgapped, offline or immutable copy of your backup data. Everything that is connected to the backup server and is not immutable can be seen as insecure.


Hi @Serge.Adam1060,

 

Just to join in with what @Mildur is talking about, there’s two distinct different things we’re talking about here.

 

Reverse/Forward incremental will not matter for your recovery impact, either will work. What matters is the backup chain isn’t deleted/modified. Forward & Reverse only dictate which way the backup chain stores its data. Reverse incremental makes the newest backup a full, and ejects out older changed data into reverse incremental restore points. Whilst incremental has the original full file and every new backup is just immediately an incremental file. But as the reverse incremental or incremental files don’t contain all the data, they still need the other files in the chain including the full, to recover their data.

 

 

As Mildur says, to stand a better chance of this, airgapped/offline or immutable copies of data are going to be your best friends.

Unplugged/disconnected data can’t be tampered with because it is inaccessible to the attack.

Immutable data doesn’t have the correct permissions to modify any data and the modification is rejected, preserving the integrity of the data.

 


Assume the backup repository is safe. 

My server gets crypto’s before the backup window.

By my understanding:

 

FI, my full is safe and the latest incremental is FUBARed. I can restore my full and the last safe incremental.

 

RI, since all the crypto’d files are merged in the full, I have no good recovery point.

 

Or am I missing something?

 


Not completely sure If I get your thought correct.

When you assume your backup repo is safe, then you have all restore points available regardless if it is forward or reverse incremental strategy.

When you backup repo is encrypted all is lost regardless of your incremental strategy.
Therefore an immutable of physical air-gapped copy of your backups is a good idea - always.


I’ll try to be clearer. The backup repository cannot be reached from the server network, so it can’t be encrypted by the malware. 

Now, my file server gets encrypted, all files, just before the backup window.

The backup is taken, it will show all files have been changed and back them all up.

My restore points is set at 7

My understanding is this:

Using FI, I have a good full, 5 good incrementals and one completely hosed incremental. I can restore to 2 days ago.

 

Using RI, the last backup, the encrypted files, is merged into the full and therefore I have no good full to use as a restore point.

 


Can the backup repo be reached from the backup server?

Then it is not safe :)

 

———

If your backup files are untouched by the attack, then you will be able to restore all data from one of the restore points. No issue there.

Same for RI. You will be able to restore any available restore point. It doesn‘t matter that veeam has done a backup of encrypted files or not.

 


Maybe my understanding of RI is wrong, but I understand that the last incremental is injected into the full. If the last incremental contains all the files on the server in an encrypted form, and that is injected into the full, isn’t my only available full entirely encrypted?


No, it‘s not.

you have the not encrypted data of your vms in the vrb files.

it will work.


  1. During the first backup job session, Veeam Backup & Replication creates a full backup file in the backup repository.
  2. During subsequent backup job sessions, Veeam Backup & Replication copies only VM data blocks that have changed since the last backup job session.
    Veeam Backup & Replication “injects” copied data blocks into the full backup file to rebuild it to the most recent state of the VM. Additionally, Veeam Backup & Replication creates a reverse incremental backup file containing data blocks that are replaced when the full backup file is rebuilt, and adds this reverse incremental backup file before the full backup file in the backup chain.

So, your unencrypted backup files remain...


Ah, now I get it. So the vbr are the files from the vbk prior to the backup. 

 

i thank you both for your expertise and patience.

 


Yes, they are - vrb files...

No problem, for this the community exists. :sunglasses:


This was a great question! Helped me clear up a few bits I was uncertain about with the way the backup RI works. Thanks all!


Comment