We’ve updated the Script Library section to include YARA rules. I’ve made a quick video (sorry for the cheesy graphics...) on how to install a YARA rule from this site and perform your first scan!
Sticky
How to install a YARA rule with Veeam
+10
+21Thanks for sharing this, Rick. I was about to ask if you were going to do a “how to” video for installing the rules. 😋
+22Absolutely GREAT beginner ‘how-to’ vid on using these rules Rick. Thanks!
+10Thanks for sharing this, Rick. I was about to ask if you were going to do a “how to” video for installing the rules. 😋
Hahaha that’s funny. But I think that screen that has the scan needs some explanation and people just need to use it.
+10Oh and I didn’t want everyone to wait during the video, but here is the result of the scan:
+22Personally, I don’t like how the date is formatted after choosing the dates...can be confusing. And yeah...how you choose it is odd, but makes sense. I think the wording on those 2 dates could be changed to be more descriptive, like “Start from (today)” instead of Start Date; and “End Date (until)”, or something similar for the ‘End Date’.
Hopefully folks will read up on what each option is used for.
+22Oh and I didn’t want everyone to wait during the video, but here is the result of the scan:
Cool! I forgot about even seeing the results! 😂😆
+21Thanks for sharing this, Rick. I was about to ask if you were going to do a “how to” video for installing the rules. 😋
Hahaha that’s funny. But I think that screen that has the scan needs some explanation and people just need to use it.
Yeah, going to take some getting used to for sure. Going to play in the homelab with these sample rules.
+22Excellent video and will really help everyone just starting out with Yara scans!
+21Got them installed in the lab and testing. Very interesting for sure.
+10Thanks for the video. Will there be an option later to run multiple YARA rules at the same time?
Thanks for the video. Will there be an option later to run multiple YARA rules at the same time?
Hi Mike - it is not implemented currently (nor scan on multiple images). Both are feature requests on our side/internally.
+10Thanks for the video. Will there be an option later to run multiple YARA rules at the same time?
Oh and welcome to the Veeam Community
+2
Can point me how to you update the yara rule inside the Veeam software appliance.
My 1st thought would be via SCP or SFTP process, but wonder if there was any official documentation on how to go about this?
+22I’m wondering if they’re updated not within the VSA but where the Console is installed
+2I’m wondering if they’re updated not within the VSA but where the Console is installed
login via the VSA console via shell request or SSH. (with 4eyes auth)
Navigate to the
/var/lib/veeam/yara_rules
I’ve also found that Backup are sorted
/var/lib/veeam/backup
I’m going to try today to see if SCP or SFTP work to update the rules. (may not the official process but it worth trying.)
+22Interesting. Keep us posted
+2Note: This may not the official process, but testing showed you can get files on the VSA.
- SFTP into the VSA using the
veeamadminuser (after enabling SSH from the console). - Navigate to the folder:
/var/lib/veeam/yara_rules - Copy the required YARA files into the VSA.
- Verify that the files exist on the VSA:
-
Validate that the files have the correct ownership and permissions.
File check inside VSA after SFTP.
- update file owner and file permission
chown veeam-usr-vbr:veeam-grp-yararules *.yara
chmod 644 *.yara -
Perform a final file check inside the VSA after the SFTP transfer to confirm:
Files are present
Ownership isveeam-usr-vbr
Group isveeam-grp-yararules
Permissions arerw-r--r--
- Run a SureBackup job and verify that the YARA rules are detected and used successfully during the malware scan.
- Test it the sure backup job run.
Summary of test.
it didn’t work while the files exist inside VSA, third item on common cause “Copying Yara rules Manually” most likely cause of the issues.
What the error actually means
From the SureBackup job log:
“Scanning with YARA rule adonumix2.alphv.yara
The remote certificate was rejected by the provided RemoteCertificateValidationCallback.”
This is not a YARA syntax or file-permission problem anymore.
This error means: 👉 Veeam could not trust the TLS certificate presented by the Linux system that is running YARA (your VBR Linux helper / malware detection component).
In short: certificate trust between VBR and the Linux YARA service is broken or outdated.
This is very common after:
- Upgrades
- Reinstalling Linux packages
- Copying YARA rules manually
- Certificate store changes
- Hostname / IP changes
Most common root causes (in order)
- Linux Malware Detection service certificate is stale
- Veeam certificate cache on the VBR server is stale
- Hostname mismatch (DNS vs IP)
- Time skew between VBR and Linux host
- SELinux blocking certificate access
+21Well at least we have an "unofficial" way to test thia. Thanks for working on this and here is to an official way or even via the update process even.
+2
side note: Found the config backup in default VSA repo. Question now.
How get these files out of VSA and resorted into different VSA.
I’m going to start a next topic with question around VSA.
+22
+21Not off hand no.
+10Hi apologies for the late response. YARA files are var/lib/veeam/yara_rules/ and the file node in the backup console is the trick, think of using the B&R Console app “FastSCP Style” to get YARA rules in for the VSA...
+10
+21Nice! That makes it easier and you can probably use the same to get the configuration backups. I know someone was asking about that.
+22Ah yes...that’s the trick! Thanks Rick! 🙌🏻
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.