• EN

Powershell - VBR Backup Scan - YARA ready

SteveHeart
Userlevel 7
Badge +8

Hi Community,

after Rick's announcement (thanks for the initiative), I couldn't resist creating another script for the community.

As documented, you can add one YARA rule file to the scan process. But what if you want to use multiple YARA rules? Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

What if we would like to use all YARA rules from Rick's Top 10 Ransomware Threats  blog post for a scan? And we don’t want to click so many times in the UI? This Powershell script can help.

 

You can select all YARA rules, only selected YARA rules or all YARA rules if no selection has been made after 30 seconds. The script needs the backup job name and the hostname which has to be scanned. 

.\vbr-scan-backups.ps1 -Jobname <backup job name> -HostToScan <hostname>
YARA rules selection

Currently all restore points are scanned, but more "features" will be added to the script soon. And as always: Feedback welcome.

Happy scripting!

Steve💖

14 comments

Chris.Childerhose
Userlevel 7
Badge +20

I was wondering if there was a way to use all rules versus just one.  It is too bad it was not built in to the UI to allow this. Maybe a future enhancement but adding this to my script library.  Thanks for sharing Steve.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Geoff Burke
Userlevel 7
Badge +22

Very nice. Thanks Steve.

VMCA2022, VMCE2023, CKA, CKAD, KCNA, LFCS, PCA,TARS
JMeixner
Userlevel 7
Badge +17

Very interesting, Steve. 👍🏼

I hope this will be integrated in VBR in one of the next versions.

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2023 | Veeam Certified Architect (VMCA) 2022 | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
coolsport00
Userlevel 7
Badge +17

This would be a great feature enhancement request I think. 

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
SteveHeart
Userlevel 7
Badge +8

Guys, there is a possibility in the UI, if….

 

Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

And if it‘s not in the UI, there is (probably) a „Yet Antoher Might Tool“ script ;)

 

 

Chris.Childerhose
Userlevel 7
Badge +20

Guys, there is a possibility in the UI, if….

 

Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

And if it‘s not in the UI, there is (probably) a „Yet Antoher Might Tool“ script ;)

 

 

But if the VBR is the mount server would it not use all rules?  I know you can specify the mount server. Have to test this in the lab. 

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
SteveHeart
Userlevel 7
Badge +8

Guys, there is a possibility in the UI, if….

 

Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

And if it‘s not in the UI, there is (probably) a „Yet Antoher Might Tool“ script ;)

 

 

But if the VBR is the mount server would it not use all rules?  I know you can specify the mount server. Have to test this in the lab. 

Yes, using an index file having the content down below works, if the VBR server is as well the mount server:
 

include "C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\file1.yara"
include "C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\file2.yara"

 

Iams3le
Userlevel 7
Badge +9

Thanks @SteveHeart! Looking forward to the next blogpost as well. 

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3* | Object First Ace]
Chris.Childerhose
Userlevel 7
Badge +20

Guys, there is a possibility in the UI, if….

 

Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

And if it‘s not in the UI, there is (probably) a „Yet Antoher Might Tool“ script ;)

 

 

But if the VBR is the mount server would it not use all rules?  I know you can specify the mount server. Have to test this in the lab. 

Yes, using an index file having the content down below works, if the VBR server is as well the mount server:
 

include "C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\file1.yara"
include "C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\file2.yara"

 

Yeah, that is what I thought.  Going to give this a try and see since home lab is all in one install.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Scott
Userlevel 7
Badge +8

Thanks for this.

 

I’m looking forward to all the scripts people come up with and hope to do a few my own!

leduardoserrano
Userlevel 7
Badge +6

Congrats to develop and shate the script, I was looking for and I just forked it. 👍🏻 @SteveHeart 

Luiz Eduardo Serrano. Cloud Architect, Systems Engineer for Veeam and Object First. Veeam Vanguard/VMCA 2024/VMCE. VMware Tanzu Vanguard 2024/VCP Security/VMware User Group, 4xHPE Master ASE/Instructor, RedHat Ansible SE/Instructor, AWS Architect, Nutanix NCA, Cisco-HPE Cloud & DC champion. My blog: https://cloudnroll.com
T

Hi Community,

after Rick's announcement (thanks for the initiative), I couldn't resist creating another script for the community.

As documented, you can add one YARA rule file to the scan process. But what if you want to use multiple YARA rules? Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

What if we would like to use all YARA rules from Rick's Top 10 Ransomware Threats  blog post for a scan? And we don’t want to click so many times in the UI? This Powershell script can help.

 

You can select all YARA rules, only selected YARA rules or all YARA rules if no selection has been made after 30 seconds. The script needs the backup job name and the hostname which has to be scanned. 

.\vbr-scan-backups.ps1 -Jobname <backup job name> -HostToScan <hostname>
YARA rules selection

Currently all restore points are scanned, but more "features" will be added to the script soon. And as always: Feedback welcome.

Happy scripting!

Steve💖

How do you address false positives on a particular rule? Is there a global way to define a condition that excludes a path to a particular file, maybe something more specific about that file, to mark it as benign?

Chris.Childerhose
Userlevel 7
Badge +20

Hi Community,

after Rick's announcement (thanks for the initiative), I couldn't resist creating another script for the community.

As documented, you can add one YARA rule file to the scan process. But what if you want to use multiple YARA rules? Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

What if we would like to use all YARA rules from Rick's Top 10 Ransomware Threats  blog post for a scan? And we don’t want to click so many times in the UI? This Powershell script can help.

 

You can select all YARA rules, only selected YARA rules or all YARA rules if no selection has been made after 30 seconds. The script needs the backup job name and the hostname which has to be scanned. 

.\vbr-scan-backups.ps1 -Jobname <backup job name> -HostToScan <hostname>
YARA rules selection

Currently all restore points are scanned, but more "features" will be added to the script soon. And as always: Feedback welcome.

Happy scripting!

Steve💖

How do you address false positives on a particular rule? Is there a global way to define a condition that excludes a path to a particular file, maybe something more specific about that file, to mark it as benign?

There are exclusions for the scans. Need to look in to it more.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
SteveHeart
Userlevel 7
Badge +8

 

How do you address false positives on a particular rule? Is there a global way to define a condition that excludes a path to a particular file, maybe something more specific about that file, to mark it as benign?

Hi @Tim Dressel,

the built-in YARA scan process mounts the backup on the mount host and recursively scans all visible directories. there is no option to explicitly exclude directories. Depending on the use case, it is maybe possible to “exclude” the file due to certain string definitions, so the rule won’t match for this particular file. See official YARA documentation.

Comment


Terms & Conditions