Skip to main content

Hello Community!

Your input is needed. Almost two years ago, I created a PowerShell script that checks if one of the scanned files matches a SHA256 value by comparing the values to a list of known hash values. It only searched in specific directories.

What would be better than using file-level restore? Right, Data Integration API!

Since version 12.3.1, Veeam offers the possibility of working with the Data Integration API via the REST API. To improve the whole thing, I have created a Python script that scans the mounted backup file system for suspicious files by comparing their hash values against known threats stored in a local database. The database uses data from Malware Bazaar and the LOLBAS project (“Living Off The Land Binaries and Scripts”), a catalog with legitimate Windows system binaries that attackers often abuse. The script can detect such files when they appear in unusual locations. The analysis is performance-optimized through parallel processing and will export the result in a CSV file.
 


What do you think about this idea? Should I develop this into a public version?
Cheers,
Steve Heart

I think the API is always a better way to go with Veeam and would love to see a test version.  Looking forward to seeing this take shape.


Is this used solely for the Guest Index Malware Scans Steve? If so, I actually don’t use that method...only Inline Scans; or, is this a tool which works separately...on its own...doing its own “Malware Scan”? If so...sounds like it’d be a great tool to me. 


@coolsport00,
it works separately/independently from the Guest Index Malware Scans and IoC detection. Think of it as another way to scan the backup data. And since the files/hashes to be checked are stored in a database, the script can be adapted to any new sources.


Ok sweet! This would no doubt be useful imo. 🙌🏻


Looks very nice. Does require this action guest credentials? 

Nice, because like Yara, is needed to create own rules, and up to date by own, this is more discouraged ….

 

I am curious, that everything regarding malware detection requires mount server, if there is not thinking about pool of mount servers, but this is another topic ….


Looks very nice. Does require this action guest credentials? 

Nice, because like Yara, is needed to create own rules, and up to date by own, this is more discouraged ….

 

I am curious, that everything regarding malware detection requires mount server, if there is not thinking about pool of mount servers, but this is another topic ….

No guest credentials needed, just a user account with appropriate rights in Veeam Backup & Replication for accessing the REST API. The backup is then presented over FUSE or iSCSI (just finalizing this piece) to the Linux system, where the scanner script is running.


well, i will vote for this feature!


Comment