Hi Community,
after Rick's announcement (thanks for the initiative), I couldn't resist creating another script for the community.
As documented, you can add one YARA rule file to the scan process. But what if you want to use multiple YARA rules? Of course you could work with a so-called index file, which refers to the individual YARA rules, but this brings a problem with it, because the YARA rules are stored on the VBR server, but the scan process provides the backups on the mount server and only one YARA rule can be used (This is a topic for another blog post - stay tuned).
What if we would like to use all YARA rules from Rick's Top 10 Ransomware Threats blog post for a scan? And we don’t want to click so many times in the UI? This Powershell script can help.
You can select all YARA rules, only selected YARA rules or all YARA rules if no selection has been made after 30 seconds. The script needs the backup job name and the hostname which has to be scanned.
.\vbr-scan-backups.ps1 -Jobname <backup job name> -HostToScan <hostname>
Currently all restore points are scanned, but more "features" will be added to the script soon. And as always: Feedback welcome.
Happy scripting!
Steveđź’–
