Data Integration API – File Scanner with Malware and LOLBAS Detection

4 months ago
May 19, 2025
7 comments
129 views

+11

SteveHeart
Influencer
81 comments

Hello Community!

Your input is needed. Almost two years ago, I created a PowerShell script that checks if one of the scanned files matches a SHA256 value by comparing the values to a list of known hash values. It only searched in specific directories.

What would be better than using file-level restore? Right, Data Integration API!

Since version 12.3.1, Veeam offers the possibility of working with the Data Integration API via the REST API. To improve the whole thing, I have created a Python script that scans the mounted backup file system for suspicious files by comparing their hash values against known threats stored in a local database. The database uses data from Malware Bazaar and the LOLBAS project (“Living Off The Land Binaries and Scripts”), a catalog with legitimate Windows system binaries that attackers often abuse. The script can detect such files when they appear in unusual locations. The analysis is performance-optimized through parallel processing and will export the result in a CSV file.

What do you think about this idea? Should I develop this into a public version?
Cheers,
Steve Heart

+21

Chris.Childerhose
Veeam Legend, Veeam Vanguard
9299 comments
4 months ago
May 19, 2025

I think the API is always a better way to go with Veeam and would love to see a test version. Looking forward to seeing this take shape.

+21

coolsport00
Veeam Legend
4737 comments
4 months ago
May 19, 2025

Is this used solely for the Guest Index Malware Scans Steve? If so, I actually don’t use that method...only Inline Scans; or, is this a tool which works separately...on its own...doing its own “Malware Scan”? If so...sounds like it’d be a great tool to me.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

+11

SteveHeart
Author
Influencer
81 comments
4 months ago
May 19, 2025

@coolsport00,
it works separately/independently from the Guest Index Malware Scans and IoC detection. Think of it as another way to scan the backup data. And since the files/hashes to be checked are stored in a database, the script can be adapted to any new sources.

+21

coolsport00
Veeam Legend
4737 comments
4 months ago
May 19, 2025

Ok sweet! This would no doubt be useful imo. 🙌🏻

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

Marcel.K
Veeam Legend
254 comments
4 months ago
May 20, 2025

Looks very nice. Does require this action guest credentials?

Nice, because like Yara, is needed to create own rules, and up to date by own, this is more discouraged ….

I am curious, that everything regarding malware detection requires mount server, if there is not thinking about pool of mount servers, but this is another topic ….

Marcel Kačmár | VCSP Partner 2022 | VMCE 2024 | VMCA 2024 |

+11

SteveHeart
Author
Influencer
81 comments
4 months ago
May 20, 2025

Marcel.K wrote:

Looks very nice. Does require this action guest credentials?

Nice, because like Yara, is needed to create own rules, and up to date by own, this is more discouraged ….

I am curious, that everything regarding malware detection requires mount server, if there is not thinking about pool of mount servers, but this is another topic ….

No guest credentials needed, just a user account with appropriate rights in Veeam Backup & Replication for accessing the REST API. The backup is then presented over FUSE or iSCSI (just finalizing this piece) to the Linux system, where the scanner script is running.

Marcel.K
Veeam Legend
254 comments
4 months ago
May 20, 2025

well, i will vote for this feature!

Marcel Kačmár | VCSP Partner 2022 | VMCE 2024 | VMCA 2024 |

What would be better than using file-level restore? Right, Data Integration API!

What do you think about this idea? Should I develop this into a public version?
Cheers,
Steve Heart

Page 1 / 1

I think the API is always a better way to go with Veeam and would love to see a test version. Looking forward to seeing this take shape.

Ok sweet! This would no doubt be useful imo.

Looks very nice. Does require this action guest credentials?

Nice, because like Yara, is needed to create own rules, and up to date by own, this is more discouraged ….

I am curious, that everything regarding malware detection requires mount server, if there is not thinking about pool of mount servers, but this is another topic ….

Marcel.K wrote:

Looks very nice. Does require this action guest credentials?

Nice, because like Yara, is needed to create own rules, and up to date by own, this is more discouraged ….

I am curious, that everything regarding malware detection requires mount server, if there is not thinking about pool of mount servers, but this is another topic ….

well, i will vote for this feature!

Comment

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded