Skip to main content

Hi Everyone,

 

I'm sharing the script to collect the latest Malware Detection logs from specific lists of Veeam Backup servers in their default directory as the attachment with the server name at the end.

When there is no new malware detection log file generated on the day, then no email will be sent out.

You can update the $Servers and the $ParamSendmailMessage accordingly to suit your needs, as well as the CSS styling.

$Servers = 'VBR01', 'BACKUP01', 'BKP-SVR', 'VBRSVR02'
$LocalIPAddress = (Resolve-DnsName -Name $ENV:COMPUTERNAME | Where-Object { $_.Type -eq 'A' } | Select-Object -ExpandProperty IPAddress) -join ', '
$Filter = '*.LOG'

$paramSendMailMessage = @{
From = "$ENV:COMPUTERNAME@$env:userdnsdomain"
To = 'your.email@veeam.com'
Subject = "Malware report summary as of $(Get-Date -Format 'F')"
SmtpServer = 'smtp.domain.com'
BodyAsHtml = $true
Priority = 'High'
}

$HtmlHead = @"
<style>
body {
font-family: Calibri;
}
table {
width: 100%;
border-collapse: collapse;
border: 1px solid;
}
th {
background-color: green;
border: 1px solid;
padding: 1px;
}
td {
border: 1px solid;
padding: 1px;
}
</style>
"@

$htmlPreContent = '<H3>Statistics:</H3>'
$attachments = $Stats = @()

ForEach ($server In $Servers)
{
Write-Host "Processing $($server) ..." -NoNewline -ForegroundColor Cyan

$paramGetChildItem = @{
Filter = $Filter
LiteralPath = \\$($server)\C$\ProgramData\Veeam\Backup\Malware_Detection_Logs
ErrorAction = 'SilentlyContinue'
}

$logItem = Get-ChildItem @paramGetChildItem | Sort-Object LastWriteTime | Select-Object -Last 1

If ($logItem -and ($logItem.LastWriteTime.Date -eq (Get-Date).Date))
{
Write-Host "... found todays's $($logItem.Name) file" -ForegroundColor Yellow

$destination = "$($env:Temp)\Malware-Detection-Logs_$($server).LOG"

$paramCopyItem = @{
Destination = $destination
Force = $true
}
$logItem | Copy-Item @paramCopyItem

$Stats += Get-Content -Path $destination |
Where-Object { $_ -like '``*' } |
ForEach-Object { $_.Split('.'))-1] } |
Group-Object |
Select-Object -Property @{ n = 'Server'; e = { $server } }, @{ n = 'Extension'; e = { $_.Name } }, Count |
Sort-Object -Property Count

$attachments += $destination
}
Else
{
Write-Host '... found no current Malware_Detection_Logs file' -ForegroundColor Green
}
}

If ($attachments)
{
Write-Host "Sending email with $($attachments.Count) attachments." -ForegroundColor Magenta
$body = ($stats | ConvertTo-Html -Head $HtmlHead -PreContent $htmlPreContent) -join "`r`n"
$body += "<BR>Sent from $($ENV:COMPUTERNAME) $($LocalIPAddress)]" -join "`r`n"

Send-MailMessage @paramSendMailMessage -Attachments $attachments -Body $body

ForEach ($attachment In $attachments)
{
Get-Item -Path $attachment | Remove-Item -Force
}
}

 

This script is helpful for me as the malware detection alert notification does not include the location of the harmful file like below:

Malware Detection

Daily report

Warning

Inline and Index analytics summary, Saturday, 2 March 2024 12:00:14 AM

Machines analyzed

51 workloads

Clean

50

 

Inline scans

51 workloads

Suspicious

1

Index scans

0 workloads

   

Overall Malware Events: 0 infected, 1 suspicious

FileServer01

Status

Event created

Activity date

Type

Initiated by

Details

 

Suspicious

1/03/2024 3:10:33 AM

1/03/2024 3:05:32 AM

Ransomware note

DOMAIN\svc-veeam

Potential malware activity detected

 

 

Veeam Backup & Replication 12.1.0.2131

 

This is the sample email body for the malware detected from the logs:

 

Server

Extension

Count

VBR01

NOV

4

BKP-SVR

666

4

BKP-SVR

BD

6

BACKUP01

Lion

10

BACKUP01

aa1

20

VBR02

exe

220

BKP-SVR

a19

244

VBR01

hidden

1

VBR01

hta

2

VBR01

FOX

778

 

By generating this report from all the list of Veeam Servers, I can modify the malware detection settings and also search for malicious files.

 

I hope this can be helpful for everyone here.

Great little script @vAdmin ! I wish Inline Entropy events were more descriptive though 😕


Great little script @vAdmin ! I wish Inline Entropy events were more descriptive though 😕

Thank you @coolsport00 , yeah, hence I created this script after reading through your thread and the R&D forums feature request. 


@vAdmin - does your script work for that specific scan engine? Because, in looking at your script, you peruse the “Malware_Detection_Logs” folder. There is no such folder for Inline scans.


@vAdmin - does your script work for that specific scan engine? Because, in looking at your script, you peruse the “Malware_Detection_Logs” folder. There is no such folder for Inline scans.

@coolsport00 ,
I haven’t tested it yet, where is the location of the logs to parse ?


Very nice little script @vAdmin -- going to download this and test it on my HomeLab.  😎


@vAdmin - kind of the same location, but not a ‘dedicated’ log folder or file. It’s in the Data Analyzer file located at:
C:\ProgramData\Veeam\Backup\Svc.VeeamDataAnalyzer.log

The problem is, as I shared, even in the log, there is no detailed data. Still, I’d like to see what your script would look like with it 😊


Hey guys, I had a question regarding the malware detection daily report email (the native one in VBR). Is there any way to have the subject of the email modified to include the customer name or backup server name at the beginning? We have enabled the Malware Detection settings in our customer VBR servers and turned on the email notification -- which is set to use the global settings, but it doesn’t appear to be appending to the subject for this particular email like it does for the job notifications.

 

The problem this creates for us is we get all of these daily summary emails but there is no verbiage the notates the machines, customer, or backup server name.

 

The script you shared looks interesting, but since our Veeam backup servers for our different clients are all located at different locations/networks I don’t think it would work for us.


Great Script! I’ll be saving this one. 


Comment