YARA and Script Library

After switching from TSM to Veeam, I found myself wasting plenty of hours excluding OFF-Line sql databases from backup.Normally it demands that you start SQL Server Management Studio ( witch takes a war ), identify the correct instance and then exclude the ofline databases in each backup job…..However… I’m notorisly lazy and in a bright moment, I turned to Powershell.The resulth is a script telling me if a database is offline and therefore maybe should be excluded or if a database in online and can be included in backup, and best of all… without starting SQL Server Management Studio. The script is eacy to use, gives a nice overview, you can in / exclude a database on a server in less than 20 sec ( depends on how many instances / databases the script have to scan ), you can chose to exclude Logs and diff backup and only have FULL backup if needed, and at last, - it logs every change make by time and username.Script is free to use…

Per KB4821, each organization should use a single backup application per Microsoft term's of use and product documentation. This script automates the steps mentioned in the KB article by identifying organizations that are using multiple backup applications and, if desired, will limit each organization to a single backup application.https://github.com/VeeamHub/powershell/tree/master/VB365-KB4821Please note that additional backup applications are not deleted from Entra ID. They are simply removed from Veeam.The output of the script let’s you see all organizations affected including backup application info and backup applications removed (if any): 

As a fan of the Veeam Data Integration API, I have been spending time with a related but separate topic: Database Publish (referred to as Data Publishing in the Veeam documentation). The goal was to make backed-up databases available to another system for analysis, without permanently restoring them or affecting production.What is Data Publishing?Data Publishing is a feature in Veeam Backup & Replication that has been available for Microsoft SQL and Oracle for a while and was later extended to PostgreSQL and MongoDB. The mechanics are straightforward: Veeam mounts the backup data read-only, attaches the database files to the target engine, and keeps a write cache for any changes made during the session. When the session ends, the write cache is discarded. The source backup is untouched. The result is a database accessible

Special thanks to our dear Veeam Support Team Members Cosmin Ciobanu and Marius Nita for the following trick! Veeam Support is _always_ looking for ways to make everyone’s lives easier.Currently, to generate an HTML report for many sessions at once you need to go to the Session tab in the UI and ctrl / shift + click on desired sessions; not always convenient, and for Transaction Log backup sessions in particular you may have hundreds (if not thousands) of sessions.With Powershell and a bit of prep work, you can do this automagically: Preparatory Step:From a Windows-based backup server, copy the following filesCopyC:\Program Files\Veeam\Backup and Replication\Backup\SessionReport.xsltC:\Program Files\Veeam\Backup and Replication\Backup\SqlSessionReport.xsltto the following path on the machine where you will generate the report with Powershell:Windows:

The project announced here became even bigger. However, the Veeam Data Integration API remains the "main actor", except that many new options have now been added, as "my ideas factory" and feedback on a similar script have been incorporated. Let’s look at what’s NEW.📑 SearchThe host2scan parameter scans a selected restore point of the specified host. The repo2scan parameter can display all hosts with supported restore points in the specified Backup Repository. Then select a host and start the scan. NEW Or with repo2scan and the option all to scan the latest restore point for all found and supported host ty

​ ProxyPool Swapper for Veeam Backup for M365If you regularly onboard new tenants in Veeam Backup for Microsoft 365, chances are this scenario sounds very familiar.A repository gets assigned to a proxy pool, and at some point you want to move it—quickly and without hassle. A common approach is to use a dedicated onboarding proxy pool for the initial full backups of new tenants, and a separate, permanently assigned pool for ongoing operations. Once those initial backups are complete, only incremental, day-to-day changes remain. These smaller, predictable workloads can then be handled by a proxy pool that’s specifically designed and sized for daily processing.From an architectural perspective, this makes perfect sense. From an operational perspective… it can get a bit tedious.Another use case I frequently run into is the need to quickly access logs for a specific job or repository. To do this, I assign the repository to a local Windows proxy, which g

Hi,Where do you guys mostly download Yara rules for Veeam from?This GIT looks not maintained for years (files from 2022).  https://github.com/YARA-Rules/rules/archive/refs/heads/master.zipI also used those links but I had some troubles when scanning backup.https://github.com/Neo23x0/signature-base/archive/refs/heads/master.ziphttps://yaraify.abuse.ch/yarahub/yaraify-rules.zip

Yesterday, during the VEEAM User Group Germany someone was missing a Maintenance Mode for VEEAM. The main problem was to keep which job was enabled and which was disabled. I wrote a script some times ago which stopped all jobs and disable them but before the state is dumped into a JSON File. On leaving maintenence the JSON-File will be read and required jobs are set to enabled again and failed jobs are triggered to restart. The scripts (and more) can be found on our github repository: https://github.com/claranet/VeeamHub/ Here are these scripts:Enter-Maintenance.ps1param( [switch]$DryRun=$False)Import-Module Veeam.Backup.PowerShellFunction log($message) { $timestamp = Get-Date -Format "yyyy-MM-ss hh:mm:ss" Write-Host "$($timestamp) - $($messa

IntroductionThe Veeam Data Platform V13 is now available, and it brings many new features for working with the REST API. With these improvements, it is easier to automate tasks and integrate Veeam into your workflows. Sometimes, it is necessary to check backup data from NAS systems for viruses or similar threats. This helps ensure that the data is safe before being restored or used. Starting with Veeam Backup & Replication 13.0.1, we can trigger an Instant File Share Recovery using the REST API. And why not use a Python script to scan such backup data? There is a Python script for thatThe Python script initiates an Instant File Share Recovery. The backup data is made available to a Windows system, referred to as the mount server. On the Lin

IntroductionMITRE ATT&CK v18, released in October 2025, introduces a major change in detection guidance. Two new objects, Detection Strategies and Analytics, replace the old single-sentence detection notes with structured, behavior-focused logic.In previous versions, detection tips were just short text inside each technique. Detection Strategies describe what behavior to look for, and Analytics show how to detect it on specific platforms. Each Analytic then guides you to relevant Log Sources and Data Components. What This Means for DefendersThis modular structure reflects how attacks develop not as individual warning messages, but as a chain of observable behaviors. Defenders can now track detection logic across different levels, systems, and data sources. The new detection model provides a clearer link between techniq

IntroductionBackups are the last line of defense when cyberattacks strike. Veeam users rely on the platform to restore data quickly and reliably in critical situations. However, availability alone is not enough, backups must be trustworthy. To address this challenge, I created a Python script that uses the Veeam Data Integration API and runs the THOR APT Scanner against the presented restore point(s).Who is Nextron, and what is THOR?Nextron Systems specializes in forensic threat detection. Their flagship product, THOR, is widely used by incident response and security teams to uncover attacker tools and traces that traditional solutions may miss. Unlike classic antivirus integrations, T

Hi, Good evening.I am analyzing different Veeam Backup & Replication instances and I would like take all parameters for every backup job present on every VB&R instances that I am analyzing.I would like to know if is possible launch one powershell script  for retrieve these values for example: start time for every schedule job, servers involved, backup modality (full, incremental, reverse incremental, etc) aware setting if exist, etc.Thanks in advance.Best regardsRicardo

WARNING: Exciting content 🕺🏻This blog post has a little bit of everything: A little bit of compliance, a little bit of encryption, a little bit of REST API, and a little bit of V13, like in this song.IntroductionThe EU’s Digital Operational Resilience Act (DORA) requires financial entities to protect their data using robust cryptographic methods. Two key articles, Article 6 (Encryption and Cryptographic Controls) and Article 7 (Cryptographic Key Management), set out what must be done. If you use Veeam for backups, you can meet many of these requirements.DORA - Summary of Relevant Requirements (Articles 6 & 7)DORA requires financial organizations to encrypt backup data at rest and during transfer. Connections within the organization and with e

Im trying to run a powershell script to turn off/on a service on the remote computer. I run Veeam VBR as a local service instead of an AD service account. Is this why my script is failing?Ive tried both of these and using SNMP as an example. Of course they both work interactively from the VBRserverGet-Service -computername RemoteComputer -DisplayName "SNMP Service"| Stop-Serviceinvoke-command -ComputerName RemoteComputer -ScriptBlock {Get-Service -Name "SNMP"| Stop-Service}  **********************Windows PowerShell transcript startStart time: 20250807125230Username: WCG\SYSTEMRunAs User: WCG\SYSTEMConfiguration Name: Machine: VBRserver (Microsoft Windows NT 10.0.17763.0)Host Application: powershell.exe -ExecutionPolicy ByPass -Command  try {& 'C:\VeeamScripts\freeze-tk.ps1'  -ErrorAction Stop } catch { exit 1 } Process ID: 24996PSVersion: 5.1.17763.7553PSEdition: Deskto

Now that V12.1 is available, I wanted to share with you a featured YARA rule set that can give you on-demand scanning for some top ransomware threats. Attached to this post is a file named: Top10RW_YARArules.zip. In this file are YARA rules for some common ransomware threats that have been seen recently:Attribution: This great collection was made by Felix Bilsten. Links: X: Felix Bilstein (@fxb_b) / X (twitter.com), website: Felix Bilstein - project overview (cocacoding.com) and Github: fxb-cocacoding (Felix Bilstein) · GitHub

One of the great things about AI is that it can be improved in the background, and Veeam Intelligence is no different. I have used AI (namely a GPT) to create a YARA rule, which I’ve found to be easier and servicing quicker than finding some shared online. It is no surprise that Veeam Intelligence is here to help in the same regard. I had a discussion with ​@kirststoner12 about this and sure enough - Veeam Intelligence was able to do this generative AI task within Veeam. I did a simple prompt:Can you generate a YARA rule to look in backups for credit card numbers stored in plain text?  The result was rather quick and created in Veeam intelligence with ease: This is just one quick example of how you can use Veeam Intelligence to have some AI-p

I hope you're all doing well.I'm reaching out to the community for some guidance. As a test, I recently used Veeam intelligence to scan our infrastructure.Based on the scan, Veeam intelligence created  the following rule:[rule CommonRansomware{    meta:        description = "Detects common ransomware families"        author = "Veeam Support Assistant"        date = "2023-10-01"    strings:        $locky = "Locky"        $wannacry = "WannaCry"        $petya = "Petya"        $notpetya = "NotPetya"        $cerber = "Cerber"        $cryptolocker = "CryptoLocker"        $cryptowall = "CryptoWall"        $badrabbit = "BadRabbit"        $ryuk = "Ryuk"        $maze = "Maze"        $revil = "REvil"        $darkside = "DarkSide"    condition:        any of them}the results scared me since it’s a bunch on files detected by this rule.

These diagrams are a sample of what I am working on in PowerShell for the next version of the Veeam.Diagrammer module. I am mainly working on generating diagrams of the Cloud Connect infrastructure and the composition of resources used by the tenants. Cloud Connect Infrastructure:Cloud Connect Infrastructure  Per Tenant diagram:Tenant5 Tenant4These improvements will also be part of the next version of the AsBuiltReport.Vee

Hello,we have many times request from customer to prolong backup images from 6 months to 1 year.I know, some complicated things like restore VM and provide backup again with 1 year or export this image, map to backup job and setup copy job with one year.Does exist any command in PowerShell to change expiration date?thank you

Hello Community!Your input is needed. Almost two years ago, I created a PowerShell script that checks if one of the scanned files matches a SHA256 value by comparing the values to a list of known hash values. It only searched in specific directories.What would be better than using file-level restore? Right, Data Integration API!Since version 12.3.1, Veeam offers the possibility of working with the Data Integration API via the REST API. To improve the whole thing, I have created a Python script that scans the mounted backup file system for suspicious files by comparing their hash values against known threats stored in a local database. The database uses data from Malware Bazaar and the LOLBAS project (“Living Off The Land Binaries and Scripts”), a catalog with legitima

Hi All,Wasnt sure where to post this so adding it here.Had a requirement recently to automate the process of adding YARA rules and found that ransomware.live has a great list! fantastic resources for those that havent looked at it yet.leveraging their API, I basically pull the rules and then copy them to the VBR server, pretty simple but hopefully going to improve it as things move on but figured id share with the wider team.https://homelabpro.xyz/posts/2025-05-09-dynamically-download-yara-rules/

Backups store important data, and if they are not protected, anyone who gets access can read them. Encrypting backups ensures that if someone gains access to backup files, they remain unreadable without the proper encryption key.Checking if backup jobs are configured to encrypt the backup data can sometimes be difficult, especially if there are many backup jobs. To simplify this process, I created a PowerShell script that helps to check the backup job encryption configuration settings quickly. The script retrieves information for the following Veeam backup job types:VMware Backup Agent Backup File Backup Object Storage BackupPowerShell sample output for Jobtype “File Backup”The output displays details such as the repository name and path, the encryption status (Encry

Hello everyone. Last time we explored how to identify basic file Indicators of Compromise (IoCs), develop YARA rules to detect malicious actors, and incorporate these rules into Veeam Backup & Replication to identify potential malware in our backups.Taking it a step further, today we will explore how to automatically generate YARA rules using YarGen. YarGenYarGen is a tool that generates YARA rules from a specified malware file. It identifies unique strings within the malware and excludes those prevalent in non-malicious files. This is achieved using YarGen's comprehensive database of strings and opcodes typically found in non-malicious files. Essentially, it creates YARA rules from strings in malware files while discarding those also present in goodware files