• EN

YARA and Script Library

Download featured YARA rules, browse code samples or contribute your own scripts

  • 153 Topics
  • 749 Comments

153 Topics

Rick Vanover
Rick VanoverRICKATRON
posted in YARA and Script Library

How to install a YARA rule with Veeam

We’ve updated the Script Library section to include YARA rules. I’ve made a quick video (sorry for the cheesy graphics...) on how to install a YARA rule from this site and perform your first scan! 

12
Rick Vanover
3 months ago
Rick Vanover
Rick VanoverRICKATRON
published in YARA and Script Library

YARA and Script Library Supportability

Welcome to the YARA and Script Library! This area of the community hub will provide community driven scripts and YARA rules, with selected featured items.  Veeam Data Platform 23H2 includes Veeam Backup & Replication v12.1 which includes YARA Scanning. This area of the Veeam Community Hub will offer featured YARA rules for use. Custom script troubleshooting is not supported. What's in Scope:Confirming that Veeam Backup & Replication recognized the YARA rule file.What's Out of Scope:Troubleshooting why a custom YARA rule did not function as intended.This area also includes scripts in the Script Library. Generally speaking, scripts are licensed to you by the sample's author and fall under your responsibility and is governed by the Veeam Customer Support Policy. The figure below summarizes the scripting support for PowerShell:Excerpt from KB2183: PowerShell Script Execution Troubleshooting Advice (veeam.com) 

5180
Rick Vanover
4 months ago
J
JestyrNot a newbie anymore
asked in YARA and Script Library

Need advice on speeding up retrieval Backup stats via PowerShell

Hi, everyone!   I have a PowerShell script that I use to retrieve some information about the daily backup sessions.  It works well, but I was trying to transition it from the Get-VBR-Job command to the Get-VBRBackup command.  Everything works but the newer script is very slow;  it went from a few seconds with the old script to 5-10 minutes with the new.  I was wondering if anyone could give me pointers on a more efficient way to get the session information or otherwise speed it up. Thanks in advance!!RobbOriginal script#backup JobsForeach ($JobObject in Get-VBRJob){ #write-host "loop number ${$jobobject.indexof()}" $session=$jobobject.FindLastSession() if (!($JobObject.JobType -eq "BackupSync")) { $JobOutput = New-Object -TypeName PSObject if (((get-date).AddDays(-1) -lt $session.Progress.StopTimeLocal) -or ($session.Result -in "Failed","None")) { $JobOutput | Add-Member -Name "Job Name" -MemberType Noteproperty -Value $JobObject.Name $JobOutput | Add-Membe

5
jcolonfzenpr
10 hours ago
jcolonfzenpr
jcolonfzenprVeeam Vanguard
posted in YARA and Script Library

New Release of AsBuiltReport.Veeam.VBR v0.8.6

Hello Community! Recently several changes were added to the AsBuiltReport.Veeam.VBR script that allow to improve the documentation process of Veeam B&R infrastructure. On this occasion, several bugs were fixed and a new feature was added to generate a diagram of the implemented components in the Veeam Backup & Replication infrastructure. Here are the new changes:https://techmyth.blog/posts/abr-veeam-vbr-0_8_6/ In addition I provide the following links so that you can see the sample report and an example of the infrastructure diagram. Sample ReportInfrastructure Diagram: Hasta la proxima! 😎  

1
Chris.Childerhose
4 days ago
ratkinsonuk
ratkinsonukComes here often
asked in YARA and Script Library

Powershell COM Help

Forgive me, as this isn’t strictly a Veeam topic, but I’m pulling my hair out.I’m trying to enhance a Windows Update Powershell script. The current script occasionally hangs when we invoke a COM CreateUpdateSearcher() method.$updateSession = new-object -com "Microsoft.Update.Session"$Criteria = "IsInstalled=0"$updates = $updateSession.CreateupdateSearcher().Search($criteria).UpdatesThis runs synchronously, so I can’t trap the hang. Instead, I want to use the BeginSearch() method that runs asynch (https://learn.microsoft.com/en-us/windows/win32/api/wuapi/nf-wuapi-iupdatesearcher-beginsearch). My problem is it requires an ‘IUnknown ISearchCompletedCallback’ object to be passed as one of the parameters. I don’t need this to be invoked, so it can be an empty object, but I can’t work out how to create an empty IUnknown object.$UpdateSession = New-Object -ComObject "Microsoft.Update.Session"$objSearcher = $UpdateSession.CreateUpdateSearcher()$objSearch = $objSearcher.BeginSearch('IsInstalled

2
ratkinsonuk
8 days ago
R
Ricardo MazzarelloNew Here
asked in YARA and Script Library

Veeam Backup & Replication- Powershell script for retrieve all backup jobs parameter

Hi, Good evening.I am analyzing different Veeam Backup & Replication instances and I would like take all parameters for every backup job present on every VB&R instances that I am analyzing.I would like to know if is possible launch one powershell script  for retrieve these values for example: start time for every schedule job, servers involved, backup modality (full, incremental, reverse incremental, etc) aware setting if exist, etc.Thanks in advance.Best regardsRicardo

6
SteveHeart
8 days ago
SteveHeart
SteveHeartVeeam MVP
posted in YARA and Script Library

Powershell - VBR 12.1 - Guest Index Data Scan Manager

IntroFirst of all: Happy new year to everyone!With Veeam Backup & Replication 12.1, many new security features have been added. One of these is the Guest Index Data Scan. For this, Veeam Backup & Replication uses a signature-based approach. During/after the backup job, the following malware activity can be detected:- Malware signatures specified in the "C:\Program Files\Veeam\Backup and Replication\Backup\SuspiciousFiles.xml" on the backup server- Multiple files renamed by malware- Multiple files deleted by malwarePlease read the Help Center documentation  to learn more about the details and how it works.In addition to the XML file, manual customization is also possible. You can add a malware signature that is marked as suspicious (Suspicious files) or that should be skipped (Trusted files) during the scan. See here. Questions you might askBut how do you know how many "built-in" and how many manually entered entries there are? Of course you can check the manual settings in the

5
vAdmin
25 days ago
D
damien commengeVeeam Legend
posted in YARA and Script Library

Get all malwares detections

Hello,With some people help me, I have this "script" to get all differents malwares detections based on date + VM name + Path.This is usefull to avoid read several files. $Path = "C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\"$Files = (Get-ChildItem -Path $Path).FullNameSelect-String -Path $Files -Pattern '^\[(?<Date>[^\]]+).+\s(?<VM>[^:]+):.+?:(?<File>.+)' -AllMatches | ForEach-Object { $match = $_.Matches[0] [PSCustomObject]@{ Date = $match.Groups['Date'].Value VM = $match.Groups['VM'].Value File = $match.Groups['File'].Value } } | Sort-Object VM, File -Unique 

2
Chris.Childerhose
1 month ago
dips
dipsVeeam Legend
posted in YARA and Script Library

YARA Rule for CVE-2024-3094

Hi Folks,Following on from the news regarding a backdoor in the Linux library xz, a Yara Rule is now available that can be used in Veeam 12.1 if you do not utilise a vulnerability scanner in your environment. Great way to check by leveraging Veeam to do the scanning for you. There is more info about the vulnerability on the post by @JMeixner :Yara Rule can be found here: https://github.com/Neo23x0/signature-base/blob/master/yara/bkdr_xz_util_cve_2024_3094.yar 

0
dips
1 month ago
leduardoserrano
leduardoserranoVeeam Vanguard
asked in YARA and Script Library

VDC 365 Data Residency in Brazil's South Azure Region

Hi Community team! I have a doubt regarding the availability of VDC 365 Data Residency in Brazil's South Azure Region. I didn´t find this information in the documentation.The service´s docs state that backup data created by Veeam Data Cloud for Microsoft 365 or Veeam Data Cloud for Microsoft Azure can be targeted to and reside in any Azure region as end users request. Metadata is encrypted and stored in one of the following Azure regions: United States West. United Kingdom South, or Australia East.Do you know if storing the backups in Brazil's South Region in an LRS redundancy schema is possible?Choose the Right Azure Region for You | Microsoft AzureThanks so much for your help! 

1
leduardoserrano
1 month ago
jcolonfzenpr
jcolonfzenprVeeam Vanguard
posted in YARA and Script Library

AsBuiltReport for Veeam Backup for Microsoft 365

Hello,These last few weeks I have had the time to give some attention to the AsBuiltReport.Veeam.VB365 report. This time a lot of improvements and new sessions were added to collect much more information about the Veeam Backup for Microsoft 365 infrastructure. Here I provide you with the changes:https://github.com/AsBuiltReport/AsBuiltReport.Veeam.VB365/releases/tag/v0.3.0 Now the reason for writing this post is to share with all of you about a project I have been working on in my spare time and it is about Diagramming the Veeam infrastructure. In this new version of the AsBuiltReport.Veeam.VB365 report I added the ability to create a simple diagram of the deployed VB365 components. This tool uses Graphviz and the PSGraph module to generate the diagram. Here is the main link where you can see how to use the report:https://github.com/AsBuiltReport/AsBuiltReport.Veeam.VB365In this link you can find the code I use to generate the diagram!https://github.com/AsBuiltReport/AsBuiltReport.Veea

4
Chris.Childerhose
1 month ago
A
AlexSimpsonNot a newbie anymore
asked in YARA and Script Library

Powershell for getting members of Physical Infrastructure

I have a pretty simple request that I just can’t seem to identify the correct command for.I’m just looking to be able to query what job a system is a member of. It’s very easy to do for any virtual systems, but harder for physical. Connecting and getting the job are easy. And the $Job.BackupObject property contains the Physical Infrastructure object I’m interested in, but not the actual members of the Physical Infrastructure box.The script:The Physical Infrastructure Object:The contents I’m really trying to get:  

2
D
1 month ago
E
EdxHComes here often
posted in YARA and Script Library

vcli - a universal Veeam CLI tool

Hi all, I’ve been toying around with the idea of a cli tool that works with everything and is related to the other post I put up today on the Go-Veeam-Auth that does authentication for all Veeam APIs. Anyway, I’ve come up with vcli a simple terminal app written in Go, allowing you to switch between APIs with minimal effort quickly. All the authentication is set up, so all you need to do is set some environmental variables, and off you go (no pun intended).The main output is JSON, but you can switch it over to YAML via a --yaml switch.The tool only does GET requests at the moment, as I wanted to gauge the interest before committing any more time to the project. Where the power really comes in when it is coupled with “nushell” which is a data-centric approach to shells. It makes manipulating json response objects a breeze and also allows conversion to other data formats. It also has a whole module system which I go into a bit on my GitHub. GitHub page: https://github.com/shapedthought/vc

10
k00laidIT
1 month ago
SteveHeart
SteveHeartVeeam MVP
posted in YARA and Script Library

Powershell - OneDrive for Business File Scanner

Hello Community!It's been two years since I published a script for a OneDrive for Business file check in this community. And even back then I had the code ready that also checks recovered files for possible malware. Of course, Microsoft 365 also has certain mechanisms, which are documented here.Trust is good, control is betterI have now taken up my idea again and packed it into a new script. The script restores files from the lastest OneDrive for Business restore point and scans them for threats using Windows Defender. A single file can also be restored and scanned.There is a "beautiful" listing when the scan has detected something.Please read the README document on my GitHub for more details on how to use the script.⛔Important!⛔ Make sure that there is sufficient disk space in the directory where the files are to be restored. Also use an empty directory to save the data, as the script cleans everything up after execution.Question to the communityWhat do you think of a script that rest

2
coolsport00
1 month ago
andy.sturniolo
andy.sturnioloComes here often
posted in YARA and Script Library

Unveiling Cyber Threats: Harnessing YARA and Veeam for Malware Detection!

Greetings, everyone! Today we'll delve into the art of identifying basic file Indicators of Compromise (IoCs), crafting YARA rules to sniff out malicious actors, and seamlessly integrating these rules into Veeam Backup & Replication to safeguard our backups against potential malware threats. But before we dive in, let's take a moment to understand YARA and what its for. YARAYARA is an open-source malware classification tool used to identify and classify malware or suspicious files based on its signatures or rules. It is a powerful and flexible tool that allows users to create rules matching their organization’s needs or targeting specific threats. Moreover, YARA rules are like a piece of programming language, they work by defining a number of variables that contain patterns found in a sample of malware. If some or all of the conditions are met, depending on the rule, then it can be used to successfully identify a piece of malware. Indicators of Compromise (IoCS)Suppose one day a us

6
Stabz
2 months ago
vAdmin
vAdminInfluencer
posted in YARA and Script Library

Get the most recent malware detection logs from each Veeam Server and send over email with summary

Hi Everyone, I'm sharing the script to collect the latest Malware Detection logs from specific lists of Veeam Backup servers in their default directory as the attachment with the server name at the end.When there is no new malware detection log file generated on the day, then no email will be sent out.You can update the $Servers and the $ParamSendmailMessage accordingly to suit your needs, as well as the CSS styling.$Servers = 'VBR01', 'BACKUP01', 'BKP-SVR', 'VBRSVR02'$LocalIPAddress = (Resolve-DnsName -Name $ENV:COMPUTERNAME | Where-Object { $_.Type -eq 'A' } | Select-Object -ExpandProperty IPAddress) -join ', '$Filter = '*.LOG'$paramSendMailMessage = @{ From = "$ENV:COMPUTERNAME@$env:userdnsdomain" To = 'your.email@veeam.com' Subject = "Malware report summary as of $(Get-Date -Format 'F')" SmtpServer = 'smtp.domain.com' BodyAsHtml = $true Priority = 'High'}$HtmlHead = @"<style> body { font-family: Calibri; }

6
coolsport00
2 months ago
skitch210
skitch210Veeam MVP
posted in YARA and Script Library

AIX Agent Auto Install

This is a Powershell Script that can be used to install and configure Veeam AIX Agent without needing to log into the AIX system. Can be because of lack of AIX expertise or a large number of AIX systems.  https://github.com/VeeamHub/powershell/tree/master/BR-AgentAIX-Install

3
Jean.peres.bkp
2 months ago
andy.sturniolo
andy.sturnioloComes here often
posted in YARA and Script Library

Unveiling Cyber Threats: Harnessing YARA and Veeam for Malware Detection! - Part 2

Hello everyone. Last time we explored how to identify basic file Indicators of Compromise (IoCs), develop YARA rules to detect malicious actors, and incorporate these rules into Veeam Backup & Replication to identify potential malware in our backups.Taking it a step further, today we will explore how to automatically generate YARA rules using YarGen. YarGenYarGen is a tool that generates YARA rules from a specified malware file. It identifies unique strings within the malware and excludes those prevalent in non-malicious files. This is achieved using YarGen's comprehensive database of strings and opcodes typically found in non-malicious files. Essentially, it creates YARA rules from strings in malware files while discarding those also present in goodware files.There are many variable and options that can be set in YarGen, today we are going to look at how it can create a YARA rule based off of a potential malware file. Back to basics - IoCSA user has noticed a folder called “freest

5
Iams3le
2 months ago
Chris.Arceneaux
Chris.ArceneauxVeeam MVP
posted in YARA and Script Library

Automated Upgrade to Veeam Backup & Replication v12.1

The PowerShell script to automate the upgrade for Veeam Backup & Replication & Enterprise Manager to v12.1 is now available on VeeamHub! For more details on the script itself, I recommend reading the documentation on VeeamHub.https://github.com/VeeamHub/powershell/tree/master/BR-UpgradeV12.1 If you’re familiar with my previously written upgrade script for v12, here’s a summary of enhancements in this latest release:Added support for new silent upgrade process available in version 12.1 Veeam Backup & Replication Veeam Backup Enterprise Manager Added ISO validation as the script was written for a v12.1 ISO This will prevent an admin from accidentally using an incorrect ISO If you're a VCSP, the script can also be used for Cloud Connect environment upgrades.

3
Nico Losschaert
2 months ago
Chris.Arceneaux
Chris.ArceneauxVeeam MVP
posted in YARA and Script Library

Veeam Collection for Ansible: v12.1 support

Support for the v12.1 (VBR/EM) is now available in the Veeam Collection for Ansible!Veeam Backup & Replication 12.1 is an incredible release jam-packed with goodies! Among those is a brand new process for installing & upgrading Veeam Backup & Replication, Veeam Backup Enterprise Manager, and the Veeam Backup & Replication Console.I’m happy to report this collection fully supports this process! Please review the below changelog for more detailed changes in this release: Breaking ChangesChanged default ISO checksum algorithm from SHA256 to SHA1 As Veeam’s website doesn’t provide SHA256 checksum, this only made sense to change. Major ChangesAdded support for new silent install process available in version 12.1 Added support for new silent install process available in version 12.1 Added support for Veeam Backup & Replication Console 12.1 install Added support for Veeam Backup & Replication Console 12.1 upgradeMinor ChangesUpdated ISO to version 12.1 Updated logic fo

7
leduardoserrano
2 months ago
CptAmerica
CptAmericaComes here often
posted in YARA and Script Library

Enable/Disable Health Checks for Multiple Jobs

UPDATE (Feb 2024):It was brought to my attention recently that some of the cmdlets have changed in v12.x that may have broken one or more of the above scripts. I’ve rewritten the one that was pointed out (Veeam Agent Jobs) and tested to make sure it works. I can’t vouch for the others, but will try to get around to updating them all (if needed) and posting the updates here. Just be sure if you’re on 12.x or newer that you do thorough checks to confirm it works in a safe environment before attempting to run anything in production.------------------------------------------------------Hello again, everyone! Just sharing another useful PowerShell script to enable/disable Health Checks for multiple jobs. It’s handy whenever you have a large number of jobs which all need to be adjusted and would take a significant amount of time to do so. Usually I wouldn’t share such a short script, but the way to locate and adjust this particular option in a job via PowerShell can be a little confusing if

6
Chris.Childerhose
2 months ago
SteveHeart
SteveHeartVeeam MVP
posted in YARA and Script Library

Powershell - Automating Tape Verification in Veeam Backup & Replication

A tape verification a day….😉Tape backups are an essential part of data protection strategies as they provide reliable security and offline storage capabilities. However, ensuring the reliability and consistency of tape backups can be critical for regulatory compliance and ensuring data integrity.So I wrote a Powershell script (which has been floating around in my head for a long time) that uses the available Powershell cmdlet "Start-VBRTapeVerification" to regularly check tapes available in a media pool and marks them as checked with time stamps and checks the tapes again after a certain time (default 270 days). It also helps to increase data reliability and reduces the manual effort involved in managing tape backups. The script can be downloaded here.The following parameters can be utilized to customize the tape verification:MediaPool: Specifies the media pool from which tapes will be selected for verification. This parameter is mandatory. NumberofTapes: Determines the number of tape

3
Chris.Childerhose
2 months ago
S
skbro27New Here
asked in YARA and Script Library

Monthly Veaam Backup report - html

Looking for backup report script to output to html. Currently not veaam one in the environment. 

2
coolsport00
2 months ago
BertrandFR
BertrandFRInfluencer
posted in YARA and Script Library

script for an immutable configuration backup on linux

Hello,I could say better late than never, i’m using a script since many years to make my configuration configuration immutable on a linux repos.Even it is now available for object storage and it will probably be immutable in future release, i think it could useful to share it. #!/bin/bash# Define a list of target directoriestarget_directories=("/path/to/your/target_directory1" "/path/to/your/target_directory2")attribute_to_apply=" +i" # The chattr attribute to apply (e.g., immutable)time_to_wait_days=10 # Time to wait in days before removing chattr attributelog_path="/path/to/your/logfile.log" # Replace with your desired log path# Calculate the time to wait in secondstime_to_wait_seconds=$((time_to_wait_days * 24 * 60 * 60))# Log the start timeecho "$(date): Chattr attribute application started for files in ${target_directories[*]}" >> $log_path# Loop through all target directoriesfor target_directory in "${target_directories[@]}"; do # Loop through all files in the target dir

3
Chris.Childerhose
2 months ago
SteveHeart
SteveHeartVeeam MVP
posted in YARA and Script Library

Powershell - VBR Backup Scan - Updates

Hello community,you  probably know my many scripts on the subject of backup data scanning? I am happy to share with you what I am currently working on.Secure Restore / Scan BackupCurrently "only" Microsoft Windows machines can be scanned using Secure Restore or Scan Backup (see here). However the Disk Publishing (Data Integration API) allows us to publish a disk from different types of backups to a Windows or Linux host. The disk can have a Microsoft Windows, Linux, Unix or other file system. On top Veeam Backup & Replication v12.1 gives us many more options for scanning backup data. For example we now also can mark restore points as clean, suspicious or infected using a PowerShell cmdlet. What if i were to extend one of my scripts with this function? Said and done!New Script - New FeaturesThe new script presents all existing restore points from a Linux VM, Windows VM or Agent backup to a Linux host, scans the specified restore point and marks the selected restore point as infected

2
Chris.Childerhose
3 months ago

Badge winners

Show all badges
Terms & Conditions