Hello community,
you probably know my many scripts on the subject of backup data scanning? I am happy to share with you what I am currently working on.
Secure Restore / Scan Backup
Currently "only" Microsoft Windows machines can be scanned using Secure Restore or Scan Backup (see here). However the Disk Publishing (Data Integration API) allows us to publish a disk from different types of backups to a Windows or Linux host. The disk can have a Microsoft Windows, Linux, Unix or other file system. On top Veeam Backup & Replication v12.1 gives us many more options for scanning backup data. For example we now also can mark restore points as clean, suspicious or infected using a PowerShell cmdlet. What if i were to extend one of my scripts with this function? Said and done!
New Script - New Features
The new script presents all existing restore points from a Linux VM, Windows VM or Agent backup to a Linux host, scans the specified restore point and marks the selected restore point as infected, if anything is found. The script utilizes the Veeam Data Integration API and uses ClamAV for antivirus scanning or does a YARA scan using the YARA rules installed on the Linux host. A private key is used to access the Linux system.
The prerequisites are the same as back then (see community post or the readme page in my GitHub repository)
Script Usage
I now also have the script parameters in a logical order and with a more understandable name (thanks for the feedback).
Example:
.\vbr-securerestore.ps1 -HostToScan <VM or Client Name to be scanned>> -Jobname <Backup Job Name> -Mounthost <Linux system with ClamAV -LinuxUser <Linux Username> -Keyfile <Privat Key for user access> -AVScan | -YARAScan
The script automatically scans the latest restore point if no restore point gets selected after 15 seconds.
Monitoring & Reporting
In addition to the visibility within the Veeam Backup & Replication Management Console, the restore point also gets visible in the Veeam One Threat Center, if something bad was found.
And of course this is also displayed in the Veeam One Malware Detection Report.
What's next?
Where it makes sense, I will take over functions from the old script and add the "marking function" to it.
The vbr-cleanrestore.ps1 script will also get this functionality soon. Stay tuned!
Happy scanning
Steve