Get the most recent malware detection logs from each Veeam Server and send over email with summary

1 year ago
March 1, 2024
8 comments
643 views

vAdmin
Influencer
166 comments

Hi Everyone,

I'm sharing the script to collect the latest Malware Detection logs from specific lists of Veeam Backup servers in their default directory as the attachment with the server name at the end.

When there is no new malware detection log file generated on the day, then no email will be sent out.

You can update the $Servers and the $ParamSendmailMessage accordingly to suit your needs, as well as the CSS styling.

$Servers = 'VBR01', 'BACKUP01', 'BKP-SVR', 'VBRSVR02'
$LocalIPAddress = (Resolve-DnsName -Name $ENV:COMPUTERNAME | Where-Object { $_.Type -eq 'A' } | Select-Object -ExpandProperty IPAddress) -join ', '
$Filter = '*.LOG'

$paramSendMailMessage = @{
       From       = "$ENV:COMPUTERNAME@$env:userdnsdomain"
       To         = 'your.email@veeam.com'
       Subject    = "Malware report summary as of $(Get-Date -Format 'F')"
       SmtpServer = 'smtp.domain.com'
       BodyAsHtml = $true
       Priority   = 'High'
}

$HtmlHead = @"
<style>
    body {
        font-family: Calibri;
    }
    table {
        width: 100%;
        border-collapse: collapse;
        border: 1px solid;
    }
    th {
        background-color: green;
        border: 1px solid;
        padding: 1px;
    }
    td {
        border: 1px solid;
        padding: 1px;
    }
</style>
"@

$htmlPreContent = '<H3>Statistics:</H3>'
$attachments = $Stats = @()

ForEach ($server In $Servers)
{
       Write-Host "Processing $($server) ..." -NoNewline -ForegroundColor Cyan

       $paramGetChildItem = @{
              Filter     = $Filter
              LiteralPath = \\$($server)\C$\ProgramData\Veeam\Backup\Malware_Detection_Logs
              ErrorAction = 'SilentlyContinue'
       }

       $logItem = Get-ChildItem @paramGetChildItem | Sort-Object LastWriteTime | Select-Object -Last 1

       If ($logItem -and ($logItem.LastWriteTime.Date -eq (Get-Date).Date))
       {
              Write-Host "... found todays's $($logItem.Name) file" -ForegroundColor Yellow

              $destination = "$($env:Temp)\Malware-Detection-Logs_$($server).LOG"

              $paramCopyItem = @{
                     Destination = $destination
                     Force       = $true
              }
              $logItem | Copy-Item @paramCopyItem

              $Stats += Get-Content -Path $destination |
              Where-Object { $_ -like '`[*' } |
              ForEach-Object { $_.Split('.')[-1] } |
              Group-Object |
              Select-Object -Property @{ n = 'Server'; e = { $server } }, @{ n = 'Extension'; e = { $_.Name } }, Count |
        Sort-Object -Property Count

              $attachments += $destination
       }
       Else
       {
              Write-Host '... found no current Malware_Detection_Logs file' -ForegroundColor Green
       }
}

If ($attachments)
{
       Write-Host "Sending email with $($attachments.Count) attachments." -ForegroundColor Magenta
       $body = ($stats | ConvertTo-Html -Head $HtmlHead -PreContent $htmlPreContent) -join "`r`n"
       $body += "<BR>Sent from $($ENV:COMPUTERNAME) [$($LocalIPAddress)]" -join "`r`n"

       Send-MailMessage @paramSendMailMessage -Attachments $attachments -Body $body

       ForEach ($attachment In $attachments)
       {
              Get-Item -Path $attachment | Remove-Item -Force
       }
}

This script is helpful for me as the malware detection alert notification does not include the location of the harmful file like below:

Malware Detection

Daily report

Warning

Inline and Index analytics summary, Saturday, 2 March 2024 12:00:14 AM
Machines analyzed	51 workloads	Clean	50
Inline scans	51 workloads	Suspicious	1
Index scans	0 workloads
Overall Malware Events: 0 infected, 1 suspicious
FileServer01
Status	Event created	Activity date	Type	Initiated by	Details
Suspicious	1/03/2024 3:10:33 AM	1/03/2024 3:05:32 AM	Ransomware note	DOMAIN\svc-veeam	Potential malware activity detected

Veeam Backup & Replication 12.1.0.2131

This is the sample email body for the malware detected from the logs:

Server	Extension	Count
VBR01	NOV	4
BKP-SVR	666	4
BKP-SVR	BD	6
BACKUP01	Lion	10
BACKUP01	aa1	20
VBR02	exe	220
BKP-SVR	a19	244
VBR01	hidden	1
VBR01	hta	2
VBR01	FOX	778

By generating this report from all the list of Veeam Servers, I can modify the malware detection settings and also search for malicious files.

I hope this can be helpful for everyone here.

+20

coolsport00
Veeam Legend
4109 comments
1 year ago
March 1, 2024

Great little script @vAdmin ! I wish Inline Entropy events were more descriptive though 😕

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

vAdmin
Author
Influencer
166 comments
1 year ago
March 1, 2024

coolsport00 wrote:

Great little script @vAdmin ! I wish Inline Entropy events were more descriptive though 😕

Thank you @coolsport00 , yeah, hence I created this script after reading through your thread and the R&D forums feature request.

Microsoft Azure Solutions Architect Expert, VMware Certified Professional - DCV 7, Citrix Certified Professional Virtualization (CCP-V), ITIL Practitioner

+20

coolsport00
Veeam Legend
4109 comments
1 year ago
March 1, 2024

@vAdmin - does your script work for that specific scan engine? Because, in looking at your script, you peruse the “Malware_Detection_Logs” folder. There is no such folder for Inline scans.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

vAdmin
Author
Influencer
166 comments
1 year ago
March 1, 2024

coolsport00 wrote:

@vAdmin - does your script work for that specific scan engine? Because, in looking at your script, you peruse the “Malware_Detection_Logs” folder. There is no such folder for Inline scans.

@coolsport00 ,
I haven’t tested it yet, where is the location of the logs to parse ?

Microsoft Azure Solutions Architect Expert, VMware Certified Professional - DCV 7, Citrix Certified Professional Virtualization (CCP-V), ITIL Practitioner

+21

Chris.Childerhose
Veeam Legend, Veeam Vanguard
8400 comments
1 year ago
March 1, 2024

Very nice little script @vAdmin -- going to download this and test it on my HomeLab. 😎

+20

coolsport00
Veeam Legend
4109 comments
1 year ago
March 1, 2024

@vAdmin - kind of the same location, but not a ‘dedicated’ log folder or file. It’s in the Data Analyzer file located at:
C:\ProgramData\Veeam\Backup\Svc.VeeamDataAnalyzer.log

The problem is, as I shared, even in the log, there is no detailed data. Still, I’d like to see what your script would look like with it 😊

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00

smileglobal
New Here
1 comment
6 months ago
August 21, 2024

Hey guys, I had a question regarding the malware detection daily report email (the native one in VBR). Is there any way to have the subject of the email modified to include the customer name or backup server name at the beginning? We have enabled the Malware Detection settings in our customer VBR servers and turned on the email notification -- which is set to use the global settings, but it doesn’t appear to be appending to the subject for this particular email like it does for the job notifications.

The problem this creates for us is we get all of these daily summary emails but there is no verbiage the notates the machines, customer, or backup server name.

The script you shared looks interesting, but since our Veeam backup servers for our different clients are all located at different locations/networks I don’t think it would work for us.

Scott
Veeam Legend
993 comments
6 months ago
August 26, 2024

Great Script! I’ll be saving this one.

Comment

Related topics

Power Move for low usersicon

Power move plus- Low targeticon

The Mathematics of Power Move (and how to achieve the targets)

Struggling to achieve Power Move target!

An important update about VAT for Power Move

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded