With Veeam Backup & Replication 12.3, the malware detection methods have been improved compared with 12.1 version.
The different malware detection methods are similar, they work in different way and can be used together to reach different scopes, but now there are more options.
As previous, the first main diffecence is that some works inline (during the backup process on the source data) and other works with a post-processing directly on restore points saved on the repositories. They provide different type of results.
Also, the load of those malware detection activities can be on different Veeam components, basically on the proxy servers for inline methods and the mount servers for the post-processing methods.
This table summirizes the different malware detection methods available on Veeam Backup & Replication 12.3 (for more information see: https://helpcenter.veeam.com/docs/backup/vsphere/malware_detection_methods.html?ver=120):
| Malware detection feature | Detection method | Type of objects analyzed | Objects ca nbe marked as… | Notes |
|---|---|---|---|---|
| Guest Indexing Data Scan | Inline file system activity analysis | Guest OS indexing data | Suspicious | During the backup job, detects the following malware activity: Known suspicious files and extensions, Renamed files, Deleted files, Indicators of compromise |
| Inline Scan | Inline entropy analysis | Blocks in a data stream | Suspicious | During the backup job, detects the following malware activity: Encrypted files, Onion links or Ransom notes |
| Scan Backup and Secure Restore | Rule-based detection (YARA) | Restore points | Infected | During the Scan Backup session, does one of the following:Finds the last clean restore pointAnalyzes the content for specific informationDuring the restore session with the Secure Restore option, detects malware activity as specified in the YARA rule. |
| Secure Restore and Scan Backup | Signature-based detection (Veeam Threat Hunter) | Restore points | Infected | During the Scan Backup session, finds the last clean restore point. During the restore session with the Secure Restore option, detects malware activity. During the SureBackup job, detects malware activity. |
| Secure Restore and Scan Backup | Third-party antivirus software | Restore points | Infected | During the Scan Backup session, finds the last clean restore point. During the restore session with the Secure Restore option, detects malware activity as specified in the antivirus configuration file |
| Veeam Incident API | Third-party malware protection solution | Depends on the configuration of the malware protection solution | Infected | Uses Veeam Incident API to send a request about detected malware activity to Veeam Backup & Replication. For more information, see Veeam Backup & Replication REST API Reference |
Each of them has diffent settings, different limitations, different requirements, different way to investigate on the results.
The main differences from version 12.1 and 12.2 are:
- Veeam Threat Hunter (added in v 12.3): a signature-based scan engine provided by Veeam. It is used as an alternative to third-party antivirus software to scan the restore points.
The Veeam Threat Hunter Service is automatically installed on a mount server and runs in the background.
See also: Scan your backup with Veeam Threat Hunter and How fast is Veeam Threat Hunter? - Custom Internet proxy support has been added in version 12.3.1 for downloading updates to the Veeam Threat Hunter threat signatures. Before the mount server was not able to download the new signatures using a proxy server. Note: new signatures are download on each scan operation.
- Indicators of Compromise (IoC): Indicators of compromise are non-malware programs. However, their unexpected presence on a system can indicate a security risk. Indicators of compromise are specified in the SuspiciousFiles.xml file. They are selected from and categorized using the MITRE ATT&CK Matrix. Version12.3 leverages its file system indexing functionality to detect and report the sudden appearance of utilities from hacker’s toolkit, which are commonly utilized by cybercriminals for lateral movement, data exfiltration, command and control, stored credential access, and more, with the list of tools constantly updated by Veeam.
See also: Indicators of Compromise
