Skip to main content
  • EN

YARA and Script Library

Download featured YARA rules, browse code samples or contribute your own scripts

  • 166 Topics
  • 904 Comments
166 Topics
Rick Vanover
Rick VanoverRICKATRON
posted in YARA and Script Library
How to install a YARA rule with Veeam

We’ve updated the Script Library section to include YARA rules. I’ve made a quick video (sorry for the cheesy graphics...) on how to install a YARA rule from this site and perform your first scan! 

143812
Rick Vanover
9 months ago
Rick Vanover
Rick VanoverRICKATRON
published in YARA and Script Library
YARA and Script Library Supportability

Welcome to the YARA and Script Library! This area of the community hub will provide community driven scripts and YARA rules, with selected featured items.  Veeam Data Platform 23H2 includes Veeam Backup & Replication v12.1 which includes YARA Scanning. This area of the Veeam Community Hub will offer featured YARA rules for use. Custom script troubleshooting is not supported. What's in Scope:Confirming that Veeam Backup & Replication recognized the YARA rule file.What's Out of Scope:Troubleshooting why a custom YARA rule did not function as intended.This area also includes scripts in the Script Library. Generally speaking, scripts are licensed to you by the sample's author and fall under your responsibility and is governed by the Veeam Customer Support Policy. The figure below summarizes the scripting support for PowerShell:Excerpt from KB2183: PowerShell Script Execution Troubleshooting Advice (veeam.com) 

10160
Rick Vanover
11 months ago
SteveHeart
SteveHeartVeeam MVP
posted in YARA and Script Library
Powershell - OneDrive for Business File Scanner

Hello Community!It's been two years since I published a script for a OneDrive for Business file check in this community. And even back then I had the code ready that also checks recovered files for possible malware. Of course, Microsoft 365 also has certain mechanisms, which are documented here.Trust is good, control is betterI have now taken up my idea again and packed it into a new script. The script restores files from the lastest OneDrive for Business restore point and scans them for threats using Windows Defender. A single file can also be restored and scanned.There is a "beautiful" listing when the scan has detected something.Please read the README document on my GitHub for more details on how to use the script.⛔Important!⛔ Make sure that there is sufficient disk space in the directory where the files are to be restored. Also use an empty directory to save the data, as the script cleans everything up after execution.Question to the communityWhat do you think of a script that rest

693
vAdmin
5 hours ago
J
Jeroen Buren EFCINew Here
asked in YARA and Script Library
Create NAS backup job with PowerShell

Hi everyone, I'm using Veeam for quite a while now but recently we added some NetApp ONTAP devices to the storage infrastructure. And for each also a NAS Filer object under unstructured data. I can select a NAS Filer and create a file backup job easily. But I want to automate this if possible.I can use Get-NetAppHost to get the ONTAP device and then use Get-VBRUnstructuredServer combined with Get-VBRNASServerPath but I can't link it all together… Also, when I look at an already configured job I cannot reverse engineer this to usable PS code.Can someone point me in the right direction to create a file backup job of a share on a NAS filer with PowerShell?

232
Chris.Childerhose
5 days ago
T
ThePlaneskeeperNot a newbie anymore
posted in YARA and Script Library
Immutable Storage actual disk used per folder

Inherency:Since we bill by actual disk usage for our client utilizing CloudConnect, the existing reports are non-functional for reporting and billing (They report pre-deduplication/reflink data).  It took a while to figure out, but there is a way to calculate actual disk space used on a per directory on an immutable repository.Solution:Using: https://community.veeam.com/blogs-and-podcasts-57/check-reflink-and-spared-space-on-xfs-repositories-244 I have extrapolated a script that will give the disk usage of each folder (IE: client) on an immutable repo.  This isn't "Data used"; that is what Veeam reports.  This is "Disk Used".  The actual size on disk after reflinks (duplicated data is only counted once). A note about this script; it appears that the original blog entry is wrong on the size of a block.  They attribute it to 4096... which is true... on disk... but the utility used explicitly gives the information in block sizes of 512:https://linux.die.net/man/8/xfs_bmap"units of 512-byt

143315
A
11 days ago
Link State
Link StateVeeam Legend
posted in YARA and Script Library
How to automate Veeam.Backup.Validator.exe powershel script V12

Hello everyone, as per my previous post.How to atomate & schedule Veeam.Backup.Validator.exe | Veeam Community Resource Hub I am proceeding as promised to update the schedulable veeam validator script. enjoiy 😁### Veeam Backup Validator - v.2.0 18-10-2024## USAGE:## > veeam-BackupValidator2.ps1 <jobName> <serverName> <Switch>## Switch:# -noTicket -> does not send mail to your system ticketing\servicedesk after Validate is completed## e.g.# > veeam-BackupValidator2.ps1 ‘Yout-Job-name-01’ ‘Yout-Job-name-02’ -notTicket no mail###PARAM (# [string] $customer = "YOUR CUSTOMER NAME", [string] $jobName = '*', [string] $serverName = '*', [switch] $noTicket )## -- Enter the customer name identifier here ($customer = "YOUR CUSTOMER NAME") --$customer = "YOUR CUSTOMER NAME"##$email_infoTO = "youtmail@yourdomain.com"$email_infoFrom = "$($env:COMPUTERNAME)@iyourdomain.com"$email_infoServer = "your.smtp.com"$email_subject = "[$customer] Backup Validation"$logfolder = "

753
W
12 days ago
F
fjlComes here often
asked in YARA and Script Library
Prompt for upgrade and update. After scanning, it prompts that the file does not exist. What should be done?

提示升级和更新。扫描后,它会提示该文件不存在。应该怎么做?我觉得这个需要手动更新,我不知道该怎么办 

165
Chris.Childerhose
21 days ago
jcolonfzenpr
jcolonfzenprVeeam Vanguard
posted in YARA and Script Library
Diagramming the Veeam Backup & Replication Infrastructure

Hello, As you may know I have been working for some time with several tools to document or diagram the Veeam Backup & Replica Infrastructure. In the latest version of Veeam.Diagrammer the ability to generate a diagram of the infrastructure has been added. Here is the link:https://techmyth.blog/posts/veeam-diagraming-infra/ Greetings from the Caribbean :) 

76061
MarcoLuvisi
1 month ago
Timothy Dewin
Timothy DewinComes here often
posted in YARA and Script Library
Veeam Hardened Repo: Firewalld security zones

Disclaimer: This is only provided as a reference. Make sure you understand what you are doing before executing this in your own setup (eg test in a lab). Since this is modifying the firewall, you might lock yourself out remotely if you are executing the steps incorrectly or you have a slightly different setupIf you are running RHEL or any experimental derivative (in my case Rocky 8.8), you can use firewalld to configure the firewall. Firewalld uses zones in which you can allow ports or services based on the incoming interface or IP sources. By default, all the traffic is “allowed” based on the rules in the public zone (or better the interfaces are by default assigned to the public zone). You can test this with# What is the default zonefirewall-cmd --get-default-zone# What are the active zones, by default only the public zonefirewall-cmd --get-active-zones# List all the rules in the public zone, this is by default ssh cockpit and dhcpv6firewall-cmd --zone=public --list-allYou can howeve

10933
K
1 month ago
tarik.yenisey
tarik.yeniseyInfluencer
asked in YARA and Script Library
Veeam Yara Rules - Malware Scan

Hello everyone, First of all, I would like to ask my community because I am not fully familiar with Yara rules. When scanning for Malware Detection with Yara rules, can you see which files have Malware in which locations with Yara Rules? When I do a direct Malware scan, if there is malware, it shows the machine under the malware tab but does not give details. What can I do for more details here Hello everyone,

1691
Chris.Childerhose
2 months ago
coolsport00
coolsport00Veeam Legend
posted in YARA and Script Library
Change Rate Script?

This is me being a bit lazy, so apologize in advance. Does anyone have a script, or know of a VBR type report which retrieves change rate for VMs in a Backup Job? Obviously I know about VONE, but we don’t use that (maybe I can do a temp 30-day trial install...but would like something a bit quicker and temporary). I’ve run into a situation since last wk where 1 or a few VMs in a job have changed the backup rate significantly since last wk, by almost 10-fold, causing me to run out of space not only on this Job Repo, but my storage array! I’m trying to work through it, but would like to know the culprit(s) to let the app owners know to chill! haha There was a couple app VMs with updates, etc since last wk, so I have an idea a little bit of what’s going on. But, I’d like to pinpoint things a bit better.Thank you Community!

977
marco_s
2 months ago
kristofpoppe
kristofpoppeVeeam Vanguard
posted in YARA and Script Library
Add new API permissions to existing App registration for VB 365

With the release of the version 8 of VB 365, some additional permissions are needed on the registred app. Nothing to think about when you’re deploying a new app, but when you’re upgrading, you coudl re-use the existing app and extend it with the new requirements. I’m not a programmer, but I’ve tried to setup a small powershell script that based on your Application ID adds the necessary rights and also adds the app to the Global Reader role.Feel free to check and modify it ! Could be a time-saver ! # Ensure that the required modules are installedInstall-Module -Name AzureAD -Force -AllowClobberInstall-Module -Name Microsoft.Graph -Force -AllowClobber# Import modulesImport-Module AzureADImport-Module Microsoft.Graph# Connect to the Microsoft TenantWrite-Host "Connecting to Microsoft Tenant..." -ForegroundColor CyanConnect-AzureAD# Get Application (App Registration) ID$appId = Read-Host "Please enter the Application (Client) ID for the App Registration"# Get the Application's Object ID$ap

694
Chris.Childerhose
2 months ago
vAdmin
vAdminInfluencer
posted in YARA and Script Library
Get the most recent malware detection logs from each Veeam Server and send over email with summary

Hi Everyone, I'm sharing the script to collect the latest Malware Detection logs from specific lists of Veeam Backup servers in their default directory as the attachment with the server name at the end.When there is no new malware detection log file generated on the day, then no email will be sent out.You can update the $Servers and the $ParamSendmailMessage accordingly to suit your needs, as well as the CSS styling.$Servers = 'VBR01', 'BACKUP01', 'BKP-SVR', 'VBRSVR02'$LocalIPAddress = (Resolve-DnsName -Name $ENV:COMPUTERNAME | Where-Object { $_.Type -eq 'A' } | Select-Object -ExpandProperty IPAddress) -join ', '$Filter = '*.LOG'$paramSendMailMessage = @{ From = "$ENV:COMPUTERNAME@$env:userdnsdomain" To = 'your.email@veeam.com' Subject = "Malware report summary as of $(Get-Date -Format 'F')" SmtpServer = 'smtp.domain.com' BodyAsHtml = $true Priority = 'High'}$HtmlHead = @"<style> body { font-family: Calibri; }

5988
Scott
2 months ago
X
Xtouf-GANot a newbie anymore
asked in YARA and Script Library
Veeam Backup AWS Script: Modify Policy

Hello,I have more than 700 policies on my VBAws serveurs. I have ton change fiew setting.I know how to create AWS Acoount / Policies I use PowerShell and Invoke-RestMethod  I’m not able to modify polices: I do not find a way even in the swagger If someone can share the way to modify account or Policies nvoke-RestMethod -Uri $TheUrl -Method Put -Body $json -ContentType "application/json" -Headers $Headers -NoProxy -SkipCertificateCheckRegards

322
D
4 months ago
H
HashtonicNew Here
asked in YARA and Script Library
Get all backup session IDs for particular location

Could anyone help for the following scenario . [Veeam.Backup.Core.CBackupSession]::GetAll() For the above command do we have any commands as the above one not fetching all backup session ids done for particular location.

1056
D
4 months ago
H
HashtonicNew Here
asked in YARA and Script Library
VBR module failed to fetch all client(Servers) from backup

VBR module unable to fetch complete list of servers(clients) from a backup job. As some physical server backup job ids are not getting populated even it’s taken the backup. 

534
H
4 months ago
Z
Zahra.HaratiNew Here
asked in YARA and Script Library
Using Terraform Import New Accounts in AWS to the Veeam AWS Appliance

We have a Veeam AWS Appliance in its own backup account on the latest version, 7.1.08We are backing up more than 200 AWS accounts. I am looking for a Terraform code that, when included in creating a new AWS Account, automatically imports the account to the Veeam appliance. I looked into the Veeam Hub and did not find any. The only Terraform code I found was for deploying the Veeam AWS Appliance.Does anyone have the Terraform code, or is this possible with Veeam AWS Appliance?Thanks,Zahra   

393
SteveHeart
4 months ago
jcolonfzenpr
jcolonfzenprVeeam Vanguard
posted in YARA and Script Library
AsBuiltReport for Veeam Backup for Microsoft 365

Hello,These last few weeks I have had the time to give some attention to the AsBuiltReport.Veeam.VB365 report. This time a lot of improvements and new sessions were added to collect much more information about the Veeam Backup for Microsoft 365 infrastructure. Here I provide you with the changes:https://github.com/AsBuiltReport/AsBuiltReport.Veeam.VB365/releases/tag/v0.3.0 Now the reason for writing this post is to share with all of you about a project I have been working on in my spare time and it is about Diagramming the Veeam infrastructure. In this new version of the AsBuiltReport.Veeam.VB365 report I added the ability to create a simple diagram of the deployed VB365 components. This tool uses Graphviz and the PSGraph module to generate the diagram. Here is the main link where you can see how to use the report:https://github.com/AsBuiltReport/AsBuiltReport.Veeam.VB365In this link you can find the code I use to generate the diagram!https://github.com/AsBuiltReport/AsBuiltReport.Veea

1495
admd
4 months ago
SteveHeart
SteveHeartVeeam MVP
posted in YARA and Script Library
Powershell - VBR Backup Scan - YARA ready

Hi Community,after Rick's announcement (thanks for the initiative), I couldn't resist creating another script for the community.As documented, you can add one YARA rule file to the scan process. But what if you want to use multiple YARA rules? Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned).  What if we would like to use all YARA rules from Rick's Top 10 Ransomware Threats  blog post for a scan? And we don’t want to click so many times in the UI? This Powershell script can help. You can select all YARA rules, only selected YARA rules or all YARA rules if no selection has been made after 30 seconds. The script needs the backup job name and the hostname which has to be scanned. .\vbr-scan-backups.ps1 -Jobn

61626
L
4 months ago
Chris.Arceneaux
Chris.ArceneauxVeeam MVP
posted in YARA and Script Library
New & Improved: Veeam Usage Report for VMware Cloud Director

This collection of PowerShell scripts can be used to retrieve Veeam backup usage for VMware Cloud Director (VCD) backup jobs and is now available on VeeamHub! Below is a brief description of its functionality. For more detailed information, please follow the VeeamHub link.In this collection, you’ll find 3 scripts:Sync-VcdOrganizationMapping.ps1: Automated mapping of a VCD Organization Veeam Service Provider Console (VSPC) Company Set-HostedVbrJobAssignment.ps1: Assigns VCD backup jobs to a VSPC Company Get-VspcHostedUsage.ps1: Generates usage reportIn the usage report, the following is provided for each VSPC Company:Total number of protected VMs in backups Total number of licensed VMs in backups Licensed matches Veeam rental licensing policy which is workloads protected within the current calendar month Total amount of space used in backups (Optional) Detailed usage at the VM-levelNOTE: This collection uses functionality added in Veeam Backup & Replication v12.1 and Veeam Service

1332
A
4 months ago
Chris.Arceneaux
Chris.ArceneauxVeeam MVP
posted in YARA and Script Library
Veeam Usage Report for VMware Cloud Director

Deprecated: This script will not work with Veeam Backup & Replication v12. For v12 support, please use the VSPC-HostedUsage scripts. The PowerShell script to retrieve Veeam backup usage for VMware Cloud Director (VCD) Organizations is now available on VeeamHub! Below is a brief description of its functionality. For more detailed information, please follow the VeeamHub link.For each organization, the following is provided:Total number of VMs in backups Total amount of space used in repositoriesThe usage data can be aggregated on the Organization-level or the Org VDC-level. This is useful when backups for different Org VDCs are billed differently.The scope of the usage returned is also customizable. It can be limited to self-service backups, created by the Veeam Self-Service Portal (VSSP) for VCD, or it can also include backups created directly on the backup server by the provider.NOTE: Before using this script in a production environment, I recommend you verify that numbers match up

2442
A
4 months ago
D
dionmitchell
asked in YARA and Script Library
Set-VBRViReplicaJob : Broker service has not started hierarchy collection for host

Hi All, I recently migrated some replicated VM’s on our VMWare infrastructure to a new DVSwitch and updated VLAN names, so I had to update all the Veeam replication jobs, when i tried to automate this using the Veeam powershell library I got the following error on 95% of the jobs. I did a little investigation but didnt manage to figure out what the difference was between all the failed jobs and the 3 that successfully updated. Has anyone ever seen this error message before ? Set-VBRViReplicaJob : Broker service has not started hierarchy collection for host xxxxx Here is a simplified version of the script i was using:# get all replication jobs$jobs = Get-VBRJob | Where-Object TypeToString -eq "VMware Replication"foreach ($job in $jobs) { $jobOptions = Get-VBRJobOptions -Job $job # get list of network objects on new target dvswitch $destSwitchNets = Get-VBRViServerNetworkInfo -Server "<server with new dv switch>" | Where-Object SwitchName -eq "NEW SWITCH" # build array

3465
Chris.Childerhose
4 months ago
Cjr20172
Cjr20172Not a newbie anymore
asked in YARA and Script Library
Reporting machines without backup in the last 30 days

I was wondering if there is a way to use PowerShell to determine if a machine in a protection group has not backed up in the last 30 days. Obviously in Inventory there are protection groups that have machines in them and a status of “Last Agent Backup”. Is it possible to generate a report that displays that information? Basically I would like to put the script into task scheduler and have it run the 2nd and the 24th of every month. Any advice? # Load Veeam PowerShell ModuleImport-Module Veeam.Backup.PowerShell# Define protection group names$protectionGroupNames = @("Example Protection Group", "Example Protection Group 2")# Get the current date and time window$timeWindow = (Get-Date).AddDays(-30)# Initialize array to store report data$reportData = @()foreach ($groupName in $protectionGroupNames) { # Get the protection group $protectionGroup = Get-VBRProtectionGroup -Name $groupName # Get details of the machines in the protection group $machines = Get-VBRDiscoveredComputer -P

21923
Chris.Childerhose
5 months ago
Rick Vanover
Rick VanoverRICKATRON
published in YARA and Script Library
Featured YARA rule: Top 10 Ransomware Threats

Now that V12.1 is available, I wanted to share with you a featured YARA rule set that can give you on-demand scanning for some top ransomware threats. Attached to this post is a file named: Top10RW_YARArules.zip. In this file are YARA rules for some common ransomware threats that have been seen recently:Attribution: This great collection was made by Felix Bilsten. Links: X: Felix Bilstein (@fxb_b) / X (twitter.com), website: Felix Bilstein - project overview (cocacoding.com) and Github: fxb-cocacoding (Felix Bilstein) · GitHub

193714
M
6 months ago
D
damien commengeVeeam Legend
posted in YARA and Script Library
Get all malwares detections

Hello,With some people help me, I have this "script" to get all differents malwares detections based on date + VM name + Path.This is usefull to avoid read several files. $Path = "C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\"$Files = (Get-ChildItem -Path $Path).FullNameSelect-String -Path $Files -Pattern '^\[(?<Date>[^\]]+).+\s(?<VM>[^:]+):.+?:(?<File>.+)' -AllMatches | ForEach-Object { $match = $_.Matches[0] [PSCustomObject]@{ Date = $match.Groups['Date'].Value VM = $match.Groups['VM'].Value File = $match.Groups['File'].Value } } | Sort-Object VM, File -Unique 

2073
Mahmood.Alganadi
6 months ago

Badge winners

Show all badges
Terms & Conditions