Backup Scan using YARA rule is one of the new feature of Malware detection methods in Veeam Backup & Replication 12.1.
During the Scan Backup session, does one of the following:Finds the last clean restore pointAnalyzes the content for specific informationDuring the restore session with the Secure Restore option, detects malware activity as specified in the YARA rule.
There are some requirements to use YARA rules.
One is that you need a Veeam Data Platform Advanced license! Does not require that you install VeeamONE, but there is a check of the license as described in this post.
Second is obvious, but important… Backup Scan actually is possible only for Windows based workload!
Then you need to configure properly the rules that you want to use. Both on the Veeam Backup Server (there are already few rules configured) but also on each mount server.
If you don’t configure properly, YARA Scan fails immediatly:
If you click on Scan Log on the bottom of the window:
C:\Windows\TEMP\tmpA633.tmp(4): error: can't open include file: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\onionlinks.yara
C:\Windows\TEMP\tmpA633.tmp(5): error: can't open include file: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\adonunix2.alphv.yara
C:\Windows\TEMP\tmpA633.tmp(6): error: can't open include file: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\alphanc.yara
C:\Windows\TEMP\tmpA633.tmp(7): error: can't open include file: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\avos_locker.yara
C:\Windows\TEMP\tmpA633.tmp(8): error: can't open include file: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\blackbasta.yara
C:\Windows\TEMP\tmpA633.tmp(9): error: can't open include file: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\clop.yara
C:\Windows\TEMP\tmpA633.tmp(10): error: can't open include file: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\indicator_suspicious.alphv.mallox.yara
C:\Windows\TEMP\tmpA633.tmp(11): error: can't open include file: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\lockbit.yara
C:\Windows\TEMP\tmpA633.tmp(12): error: can't open include file: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\medusa.yara
C:\Windows\TEMP\tmpA633.tmp(13): error: can't open include file: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\medusalocker.yara
C:\Windows\TEMP\tmpA633.tmp(14): error: can't open include file: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\play.yara
C:\Windows\TEMP\tmpA633.tmp(15): error: can't open include file: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules\royal_ransom.yara
Exit code: 1
Why? Just because on the mount server the *.yara files does not exist!
Just create a C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules folder on each mount server (does not exist by default) and copy all the rules that you plan to use.