Powershell - VBR Backup Scan - YARA ready


Userlevel 7
Badge +10

Hi Community,

after Rick's announcement (thanks for the initiative), I couldn't resist creating another script for the community.

As documented, you can add one YARA rule file to the scan process. But what if you want to use multiple YARA rules? Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

What if we would like to use all YARA rules from Rick's Top 10 Ransomware Threats  blog post for a scan? And we don’t want to click so many times in the UI? This Powershell script can help.

 

You can select all YARA rules, only selected YARA rules or all YARA rules if no selection has been made after 30 seconds. The script needs the backup job name and the hostname which has to be scanned. 

.\vbr-scan-backups.ps1 -Jobname <backup job name> -HostToScan <hostname>
YARA rules selection

Currently all restore points are scanned, but more "features" will be added to the script soon. And as always: Feedback welcome.

Happy scripting!

Steve💖


26 comments

Userlevel 7
Badge +21

I was wondering if there was a way to use all rules versus just one.  It is too bad it was not built in to the UI to allow this. Maybe a future enhancement but adding this to my script library.  Thanks for sharing Steve.

Userlevel 7
Badge +22

Very nice. Thanks Steve.

Userlevel 7
Badge +17

Very interesting, Steve. 👍🏼

I hope this will be integrated in VBR in one of the next versions.

Userlevel 7
Badge +19

This would be a great feature enhancement request I think. 

Userlevel 7
Badge +10

Guys, there is a possibility in the UI, if….

 

Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

And if it‘s not in the UI, there is (probably) a „Yet Antoher Might Tool“ script ;)

 

 

Userlevel 7
Badge +21

Guys, there is a possibility in the UI, if….

 

Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

And if it‘s not in the UI, there is (probably) a „Yet Antoher Might Tool“ script ;)

 

 

But if the VBR is the mount server would it not use all rules?  I know you can specify the mount server. Have to test this in the lab. 

Userlevel 7
Badge +10

Guys, there is a possibility in the UI, if….

 

Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

And if it‘s not in the UI, there is (probably) a „Yet Antoher Might Tool“ script ;)

 

 

But if the VBR is the mount server would it not use all rules?  I know you can specify the mount server. Have to test this in the lab. 

Yes, using an index file having the content down below works, if the VBR server is as well the mount server:
 

include "C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\file1.yara"
include "C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\file2.yara"

 

Userlevel 7
Badge +9

Thanks @SteveHeart! Looking forward to the next blogpost as well. 

Userlevel 7
Badge +21

Guys, there is a possibility in the UI, if….

 

Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

And if it‘s not in the UI, there is (probably) a „Yet Antoher Might Tool“ script ;)

 

 

But if the VBR is the mount server would it not use all rules?  I know you can specify the mount server. Have to test this in the lab. 

Yes, using an index file having the content down below works, if the VBR server is as well the mount server:
 

include "C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\file1.yara"
include "C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\file2.yara"

 

Yeah, that is what I thought.  Going to give this a try and see since home lab is all in one install.

Userlevel 7
Badge +8

Thanks for this.

 

I’m looking forward to all the scripts people come up with and hope to do a few my own!

Userlevel 7
Badge +6

Congrats to develop and shate the script, I was looking for and I just forked it. 👍🏻 @SteveHeart 

Hi Community,

after Rick's announcement (thanks for the initiative), I couldn't resist creating another script for the community.

As documented, you can add one YARA rule file to the scan process. But what if you want to use multiple YARA rules? Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

What if we would like to use all YARA rules from Rick's Top 10 Ransomware Threats  blog post for a scan? And we don’t want to click so many times in the UI? This Powershell script can help.

 

You can select all YARA rules, only selected YARA rules or all YARA rules if no selection has been made after 30 seconds. The script needs the backup job name and the hostname which has to be scanned. 

.\vbr-scan-backups.ps1 -Jobname <backup job name> -HostToScan <hostname>
YARA rules selection

Currently all restore points are scanned, but more "features" will be added to the script soon. And as always: Feedback welcome.

Happy scripting!

Steve💖

How do you address false positives on a particular rule? Is there a global way to define a condition that excludes a path to a particular file, maybe something more specific about that file, to mark it as benign?

Userlevel 7
Badge +21

Hi Community,

after Rick's announcement (thanks for the initiative), I couldn't resist creating another script for the community.

As documented, you can add one YARA rule file to the scan process. But what if you want to use multiple YARA rules? Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned). 

 

What if we would like to use all YARA rules from Rick's Top 10 Ransomware Threats  blog post for a scan? And we don’t want to click so many times in the UI? This Powershell script can help.

 

You can select all YARA rules, only selected YARA rules or all YARA rules if no selection has been made after 30 seconds. The script needs the backup job name and the hostname which has to be scanned. 

.\vbr-scan-backups.ps1 -Jobname <backup job name> -HostToScan <hostname>
YARA rules selection

Currently all restore points are scanned, but more "features" will be added to the script soon. And as always: Feedback welcome.

Happy scripting!

Steve💖

How do you address false positives on a particular rule? Is there a global way to define a condition that excludes a path to a particular file, maybe something more specific about that file, to mark it as benign?

There are exclusions for the scans. Need to look in to it more.

Userlevel 7
Badge +10

 

How do you address false positives on a particular rule? Is there a global way to define a condition that excludes a path to a particular file, maybe something more specific about that file, to mark it as benign?

Hi @Tim Dressel,

the built-in YARA scan process mounts the backup on the mount host and recursively scans all visible directories. there is no option to explicitly exclude directories. Depending on the use case, it is maybe possible to “exclude” the file due to certain string definitions, so the rule won’t match for this particular file. See official YARA documentation.

Userlevel 1

Steve, thank you for script.  Following the instructions, I ran it against two backup jobs, but always get the same error, which is no restore points could be found.  I also ran get-vbrbackup to make sure I was using the correct job names, but with no success.  

I run these commands with PowerShell from the Veeam console.  The user I am running them as is a Veeam administrator and a local admin on the backup server.  

What could be the issue?

Thanks,

Leo

Userlevel 7
Badge +10

Hello @leobsksd,
what type of backup job is it? When it’s a job protecting virtual machines, what operating systems are those VMs running? The script only works for Windows. In the README.md file you’ll find this link to a script which works with Linux systems.

You also mentioned, that the “Get-VBRBackup” command returns no result. Do you get any error message? 

Cheers,
Steve

Userlevel 1

Steve, there are jobs backing up virtual Windows machines.  

 

The get-vbrbackup command shows the backup jobs correctly.  When I use the backup job names from this command, with the vbr scan script, it is then that I see the error that no restore points were found.  

Thanks,

Leo

Userlevel 7
Badge +10

@leobsksd,

got it. Any spaces or special characters in your backup job name? I’ll spin up my test environment tomorrow morning, and will check what might be wrong. Which version of VBR are you running? I’ll just try to be as close as your setup 😉

Cheers,
Steve

Userlevel 1

Yes, there is a space in the backup job name.  I have the job name encased in quotes, shouldn’t that take care of it?

 

Thanks,

Leo

Userlevel 7
Badge +21

What if you clone the job and create it without spaces using hyphens or underscore to see if it works?  I know spacing can cause problems at times.

Userlevel 7
Badge +10

@leobsksd, yes, quotes are perfect and it should work. I’ll check tomorrow.

Userlevel 1

Steve, one other piece of information.  The Veeam server is in a workgroup.

 

Leo

Userlevel 7
Badge +10

Hi @leobsksd,

I could not reproduce your problem by using a backup job name with spaces. Another question: Is the vm you want to scan protected in this job - Parameter HostToScan? You could quickly check by using this part of the code:
 

$Jobname = "Your Backup Job Here"
$HostToScan = "Your Windows VM"
$backup = Get-VBRBackup | Where-Object { $_.jobname -eq $Jobname }
Get-VBRBackupObject -Backup $backup | Where-Object {$_.IsLinux -ne "False" -and $_.Name -eq $HostToScan}

The last command should give you an output. 

Cheers,

Steve

Userlevel 1

Steve, when I run that script, it runs cleanly, with no output.  

This morning, I also tried moving the Veeam server I have been using, into the Active Directory domain and tried the vbr scan script again, with the same results (no restore points found).  

I appreciate your help on this.  It is okay that the script won’t run in my environment.  

Thanks,

Leo

Userlevel 7
Badge +10

@leobsksd,
I don’t think that it is related to an Active Directory membership, it’s even NOT best practice to have the Veeam Backup & Replication server joined into the production Active Directory.

Did you try the commands I shared in my last response? You wrote that a manual execution of Get-VBRBackup -Name “your job name” runs perfectly fine?! So at least I expect some output here:
 

$Jobname = "Your Backup Job Here"
$HostToScan = "Your Windows VM"
$backup = Get-VBRBackup | Where-Object { $_.jobname -eq $Jobname }
Get-VBRBackupObject -Backup $backup | Where-Object {$_.IsLinux -ne "False" -and $_.Name -eq $HostToScan}



Another question: What license type is used in your setup?

Happy weekend,

Steve

Comment