从9.5u4版本开始时,Veeam Backup & Replication 推出Secure Restore安全还原的新功能,该功能可对数据在还原前,调用第三方的安全软件,对恶意文件进行安全扫描;当安全软件确认数据没有安全风险时,VBR才执行正常的还原过程,把数据还原到生产环境中。这样,可以极大降低数据还原时发生安全风险的概率。
在执行Secure Restore安全还原对恶意文件扫描时,VBR会执行以下操作:
1、在Mount Server上,VBR运行Veeam Mount Service以检查相关的配置文件和安全软件:
A、Veeam Mount Service验证AntivirusInfos.xml 配置文件是否位于%ProgramFiles%\Common Files\Veeam\Backup and Replication\Mount Service文件夹中。
B、Veeam Mount Service检查配置文件中的扫描设置,并验证Mount Server上是否安装了安全软件。
请注意,如果未安装安全软件或配置文件配置不正确,VBR将无法启动还原过程。因为在还原向导中,VBR将无法通过安全还原设置传递给安全软件。
2、VBR将Repository的备份文件映射到Mount Server的C:\VeeamFLR\ <machinename>文件夹下。
3、VBR触发安全软件对C:\VeeamFLR\ <machinename>文件夹中的文件进行扫描。
本文将讨论VBR使用Kaspersky Endpoint Security for Windows 11 中文版进行Secure Restore。请注意:相同品牌不同版本、不同语言的Kaspersky版本,会有不同的配置方法。
一、开始前的准备工作
在Mount Server(本次测试是在VBR上)安装Kaspersky Endpoint Security for Windows 11,并确保Kaspersky能正常工作。
下面将介绍如何获取相关安全软件的返回值,以及编写正确的正则表达则去获取安全软件的相关字符串,从面编写正确的AntivirusInfos.xml配置文件。
1、在Mount Server的某个文件夹上,放置恶意文件。本次测试是:在C盘的kes文件下的ab-429.rar压缩文件里有3个恶意文件。
2、在Mount Server的CMD命令行下,切换到Kaspersky所在的主目录下。本次测试是:C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows>
3、输入以下命令进行测试,以记录测试后的输出结果:avp.exe SCAN C:\kes |more
请注意:不同版本的命令不相同。详情请参阅相关安全软件厂商的user guid。
以下完整复制输出信息:请注意查看"Total detected: 3"。
请注意:不同版本的对恶意文件的描述字串不相同。
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows>avp.exe SCAN C:\kes |more
2019-08-02 20:51:15 Scan_Objects$0484 starting 1%
; --- Settings ---
; Action on detect: Disinfect automatically
; Scan objects: All objects
; Use iChecker: Yes
; Use iSwift: Yes
; Try disinfect: Yes
; Try delete: Yes
; Try delete container: Yes
; Exclude by mask: No
; Include by mask: No
; Objects to scan:
; "C:\kes" Enable=Yes Recursive=Yes
; ------------------
2019-08-02 20:51:15 C:\kes\bases.cab ok (iSwift)
2019-08-02 20:51:15 C:\kes\cleaner.cab ok (iSwift)
2019-08-02 20:51:15 C:\kes\incompatible.txt ok (iSwift)
2019-08-02 20:51:15 C:\kes\ab-429.rar archive RAR5
2019-08-02 20:51:15 C:\kes\installer.ini ok (iSwift)
2019-08-02 20:51:15 C:\kes\kes_win.kud ok (iSwift)
2019-08-02 20:51:15 C:\kes\eset_nod32_antivirus_live_installer.exe//data0047.res ok
2019-08-02 20:51:15 C:\kes\kes_win.msi ok (iSwift)
2019-08-02 20:51:15 C:\kes\eset_nod32_antivirus_live_installer.exe//data0048.res ok
2019-08-02 20:51:15 C:\kes\klcfginst.msi ok (iSwift)
2019-08-02 20:51:15 C:\kes\eset_nod32_antivirus_live_installer.exe ok
2019-08-02 20:51:15 C:\kes\ksn_zh-Hans.txt ok (iSwift)
2019-08-02 20:51:15 C:\kes\license.txt ok (iSwift)
2019-08-02 20:51:15 C:\kes\setup_kes.exe ok (iSwift)
2019-08-02 20:51:15 Scan_Objects$0484 running 84%
2019-08-02 20:51:17 C:\kes\ab-429.rar//ab-429/AB-429.COM detected Virus.DOS.Albania.429
2019-08-02 20:51:24 C:\kes\ab-429.rar//ab-429/GC_1575C.COM detected Virus.DOS.Caterpillar.p
2019-08-02 20:51:25 C:\kes\ab-429.rar//ab-429/GEN-295.COM detected Virus.DOS.Genesis.295
2019-08-02 20:51:25 C:\kes\ab-429.rar was deleted
2019-08-02 20:51:25 Scan_Objects$0484 completed
; --- Statistics ---
; Current time: 2019-08-02 20:51:25
; Time Start: 2019-08-02 20:51:15
; Time Finish: 2019-08-02 20:51:25
; Completion: 100%
; Processed objects: 17
; Total detected: 3
; Detected exact: 3
; Treats detected: 3
; Untreated: 0
; Disinfected: 0
; Deleted: 1
; Skipped: 0
; Archived: 1
; Packed: 0
; Password protected: 0
; Corrupted: 0
; Errors: 0
; Last object:
; ------------------1、通过获取的输出值:“ Treats detected: 3”,来编写正则表达式。本次测试推荐使用https://regex101.com网站,来实现检测编写的正则表达式是否准确编写。
可以手动输入Treats detected:后面数值,以确保数值能被正则表达式匹配到。下面输入数值30进行测试。
2、编写AntivirusInfos.xml。
<Antiviruses>
<AntivirusInfo Name='Kaspersky Endpoint Security for Windows' IsPortableSoftware='true' ExecutableFilePath='C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe' CommandLineParameters='SCAN %Path%' RegPath='' ServiceName='' ThreatExistsRegEx='^;\s+Treats\s+detected\:\s+[1-9]{1}[0-9]*$' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
<ExitCode Type='Warning' Description='Virus threat was detected'>101</ExitCode>
</ExitCodes>
</AntivirusInfo>
</Antiviruses>备注:除了“^;\s+Treats\s+detected\:\s+[1-9]{1}[0-9]*$”,是正则表达式的字段外,还需要编写:ExitCode部分。没有正确的ExitCode编号,VBR的执行安全还原后会提示报错。编写好的xml文件,需要复制到Mount Server的“C:\Program Files\Common Files\Veeam\Backup and Replication\Mount Service”目录下。下面介绍如何获取不同安全厂商的AntivirusInfos.xml文件、以及xml文件里面的Exit code返回值。请注意:相同安全厂商的不同版本、甚至是不同语言的安全软件,在“扫描到恶意软件的字符段、ExitCode的返回值”都不相同。1、使用安全软件厂商的技术文档,查询相关的ExitCode返回值信息;
2、在Veeam User Guide网站上查找相关安全厂商的AntivirusInfos.xml文件;
https://helpcenter.veeam.com/docs/backup/vsphere/av_scan_xml.html?ver=110
PS:本文档是在2019年7月份编写,在测试过程中Veeam User Guide上并没有Kaspersky的XML文件,这样才有了这个文档:)
3、如果都没办法找到较完整的xml配置文件,建议自行编写xml配置内容;
PS:可通过VBR控制台的界面里,有部分的返回值提示。如下图所示:
二、在VBR上进行Secure Restore相关测试
如上图所示:VBR可以在检测到恶意文件后执行:
-
还原成无网络状态;
-
退出还原过程;
本次测试以Full VM Restore整机还原作测试。还原过程如常规还原类似,这里只做重点部分的介绍说明。
PS:在本次测试过程中,在没有勾选“Scan the entire image”的前提下,Kaspersky依然会完整地执行对全盘进行扫描,扫描结束后VBR再执行“disable network adapters”、或“Abort VM recovery”的操作。其他的安全软件可能会当检测到第一个恶意文件后就执行终止还原过程。
测试“如果发现有恶意文件,则还原成无网络状态”,设置如下:
还原过程信息如下:
在VC管理界面确认虚拟机被正常还原,但是:网络是不连接的状态。(这是自动的)。
测试“如果发现有恶意文件,则退出还原过程”,设置如下:
还原过程信息如下:
可以在点击右下角的Scan Log查看完整的扫描日志信息;也可以查看Mount Server的相关日志信息:C:\ProgramData\Veeam\Backup\Svc.VeeamMount.log、C:\ProgramData\Veeam\Backup\FLRSessions\Windows\FLR_Windows_Server_2008\Antivirus
三、Antivirus XML 配置文件模版
Symantec Protection Engine XML文件配置模版:
<Antiviruses>
<!-- Symantec -->
<AntivirusInfo Name='Symantec' IsPortableSoftware='false' ExecutableFilePath='Veeam.Backup.Antivirus.Scan.exe' CommandLineParameters='/p:%Path%' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\symcscan' ServiceName='symcscan' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
</ExitCodes>
</AntivirusInfo>
</Antiviruses>ESET XML文件配置模版:
<Antiviruses>
<!-- Eset -->
<AntivirusInfo Name='Eset File Security' IsPortableSoftware='true' ExecutableFilePath='%ProgramFiles%\ESET\ESET File Security\ecls.exe' CommandLineParameters='%Path% /clean-mode=None /no-symlink' RegPath='' ServiceName='' ThreatExistsRegEx='threat\s*=\s*["'](?!is OK["'])[^"']+["']' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
<ExitCode Type='Infected' Description='Virus threat was detected'>1</ExitCode>
<ExitCode Type='Warning' Description='Some files were not scanned'>10</ExitCode>
<ExitCode Type='Infected' Description='Virus threat was detected'>50</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>100</ExitCode>
</ExitCodes>
</AntivirusInfo>
<AntivirusInfo Name='ESET Antivirus' IsPortableSoftware='true' ExecutableFilePath='%ProgramFiles%\ESET\ESET Security\ecls.exe' CommandLineParameters='%Path% /clean-mode=None /no-symlink' RegPath='' ServiceName='' ThreatExistsRegEx='threat\s*=\s*["'](?!is OK["'])[^"']+["']' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
<ExitCode Type='Infected' Description='Virus threat was detected'>1</ExitCode>
<ExitCode Type='Warning' Description='Some files were not scanned'>10</ExitCode>
<ExitCode Type='Infected' Description='Virus threat was detected'>50</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>100</ExitCode>
</ExitCodes>
</AntivirusInfo>
</Antiviruses>Windows Defender XML文件配置模版:
<Antiviruses>
<!-- Windows Defender -->
<AntivirusInfo Name='Windows Defender' IsPortableSoftware='false' ExecutableFilePath='%ProgramFiles%\Windows Defender\mpcmdrun.exe' CommandLineParameters='-Scan -ScanType 3 -File %Path% -DisableRemediation -BootSectorScan' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend' ServiceName='WinDefend' ThreatExistsRegEx='Threat\s+information' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
<ExitCode Type='Infected' Description='Virus threat was detected'>2</ExitCode>
</ExitCodes>
</AntivirusInfo>
</Antiviruses>Kaspersky Security 10 XML文件配置模版:
<Antiviruses>
<!-- Kaspersky Security -->
<AntivirusInfo Name='Kaspersky Security' IsPortableSoftware='false' ExecutableFilePath='kavshell.exe' CommandLineParameters='scan %Path%' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\KAVFS' ServiceName='kavfs' ThreatExistsRegEx='' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
<ExitCode Type='Warning' Description='There were processing errors for some files'>-82</ExitCode>
<ExitCode Type='Warning' Description='Some files were not scanned'>-83</ExitCode>
<ExitCode Type='Warning' Description='Some files were corrupted'>-84</ExitCode>
<ExitCode Type='Error' Description='Operation timed out'>2</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was canceled'>1</ExitCode>
<ExitCode Type='Error' Description='Service process is not running'>-2</ExitCode>
<ExitCode Type='Error' Description='Access denied'>-3</ExitCode>
<ExitCode Type='Error' Description='Object not found'>-4</ExitCode>
<ExitCode Type='Error' Description='Invalid syntax'>-5</ExitCode>
<ExitCode Type='Error' Description='Invalid operation'>-6</ExitCode>
<ExitCode Type='Error' Description='Service does not exist'>-7</ExitCode>
<ExitCode Type='Error' Description='Service disabled'>-8</ExitCode>
<ExitCode Type='Error' Description='Service logon failure'>-9</ExitCode>
<ExitCode Type='Error' Description='Unable to create file'>-10</ExitCode>
<ExitCode Type='Error' Description='Invalid command line argument'>-11</ExitCode>
<ExitCode Type='Error' Description='Invalid password'>-12</ExitCode>
<ExitCode Type='Error' Description='Cannot create report file'>-85</ExitCode>
<ExitCode Type='Error' Description='License is invalid'>-301</ExitCode>
<ExitCode Type='Error' Description='Antivirus bases are corrupted'>-236</ExitCode>
<ExitCode Type='Infected' Description='Infected object was detected'>-80</ExitCode>
<ExitCode Type='Infected' Description='Possibly infected object was detected'>-81</ExitCode>
</ExitCodes>
</AntivirusInfo>
</Antiviruses>360sd XML文件配置模版举例参考,请注意:不同版本、不同型号的同一品牌安全软件,其XML未必适用。
<Antiviruses>
<AntivirusInfo Name='360 Safe' IsPortableSoftware='true' ExecutableFilePath='C:\Program Files\360\360sd\360sd.exe' CommandLineParameters='%Path%' RegPath='' ServiceName='' ThreatExistsRegEx='^项目总数:[1-9]{1}[0-9]*$' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='No threats detected.'>0</ExitCode>
<ExitCode Type='Warning' Description='Virus threat was detected.'>101</ExitCode>
</ExitCodes>
</AntivirusInfo>
</Antiviruses>
如对以上过程有技术疑问,请联系本文作者
:helly.wu@veeam.com