Hi Community,
YARA Scans, one of the exciting new features in V12.1 that I really wanted to start using.
YARA is a great tool to help you search and detect malware like ransomware and alert you before it can do any damage.
In Veeam Backup and Replication V12.1 you can only select one .yar/.yara file to use for scanning from the "C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules" directory on the Backup Server.
After uploading some YARA Rules to my Backup Server, I created an index.yar to include all the individual files/rules so I can run scans using all my YARA rules instead of a single YARA rule.
A Yara rule looks like this:
Where a Yara index file looks like this:
If you select a file with an actual YARA rule the scan works fine, but since the file I selected was my index.yar file, the scan failed!
After taking a close look at the YARA-Volume0.log file in (my case in) "C:\ProgramData\Veeam\Backup\FLRSessions\Windows\FLR__vb365.veeam.lab_\Antivirus" on the Mount Server I found several errors like these:
[08.01.2024 17:37:35.275] <94> Error (3) C:\Windows\TEMP\tmpFE67.tmp(194): error: can't open include file: C:/Program Files/Veeam/Backup and Replication/Backup/YaraRules/MALW_Eicar.yar
So it didn't fail because it found a threat or anything...it failed because the Mount Server I'm using for the Backup Repository is not the Backup Server and while the Mount Server can read the index.yar, it cannot find any of the included files, because the "C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules" directory is only on the Backup Server and not the Mount Server(s).
I am using a lab environment with only a couple of Mount Servers and after creating the "C:\Program Files\Veeam\Backup and Replication\Backup\" directory on the Mount Servers and manually copying the YaraRules directory on the Backup Server to the Mount Server(s), the error was gone and the YARA scans completed successfully.
While copying the YARA rules manually to the few Mount Servers I have in my lab is quick and easy and doesn’t happen too often, let’s see if we can still automate this process 😊
So I have created a small PowerShell script to do this. In the script you will need to fill in a couple of things:
- Username (this user will create PS Sessions to the specified mount server(s))
- The Mount Server(s) you want to upload the YARA Rules to
- Specify if it's for Lab usage (only 3 YARA Rules, including one for Eicar) or not (download all ~450 YARA Rules)
When you execute the script for the first time it will ask for User/Pass credentials and it will save the password encrypted in a creds.txt file in the working directory. After that, it will continue to:
- Download all (~450) or just three YARA Rules from https://github.com/Yara-Rules/rules
- Generate an index.yar file to include all the downloaded files/rules
- Start PowerShell sessions to all the specified Mount Server(s)
- Backup any existing YARA Rules on the specified Mount Server(s) to a 'YaraRules_Backup-DD-MM-YYYY_HHMM.zip' file in the "C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules" directory
- Copy the new YARA Rules to the "C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules" directory on the Mount Server(s) (and create the directory structure if necessary)
- Close the PowerShell sessions
- Clean up any temporary files from the working directory
Select the index.yar file for the YARA scans and you're all set.
If the YaraRules directory is not present on one of the Mount Servers it can throw some errors since it cannot compress and delete the YaraRules folder, don't worry...the script will work fine 😉
With a little bit of adjustment you can for example use it to push your own set of YARA rules to all the Mount Servers you use in your environment.
The script can be downloaded here: yararules_updater.ps1
Have fun!
