41views
Veeam Backup & Replication version 13 (for Linux Appliance and Windows) includes significant improvements in malware detection compared to version 12.3, and several new features have been added. The different malware detection methods in this version, although different in function and purpose, can be used in combination to increase the level of security. These methods provide different results depending on when they are run (during backup or after) and the type of analysis.
The role of malware detection capabilities
Malware detection is a key part of the security and anti-ransomware mechanisms in this release. However, it should be noted that these capabilities are designed more to detect infections after they occur and are not a replacement for proactive security solutions. For complete protection, different layers of security should be used simultaneously.
Malware detection methods fall into two main categories:
1. Detection during backup (Inline)
In this method, data is checked during processing and transmission, and an alert is issued if suspicious behavior is observed.
2. Post-Processing Detection
In this case, the saved restore points are analyzed to identify infections that may not have been active at the time of the backup.
Different methods of malware detection
In version 13, several methods are available for detecting threats:
Guest Indexing Data Scan
This method checks file system activity during backup. Things like:
- Suspicious files
- Change file extensions
- Bulk deletion of files
- Unusual characters in the file structure
If these cases are identified, a “suspicious” status is recorded.
Inline Scan (Entropy Analysis)
In this method, data blocks are analyzed for their entropy level. An abnormal increase in entropy can be a sign of extensive encryption by ransomware. Onion links and ransomware notes can also be identified. The result of this check will also usually be “suspicious.”
YARA-based Scan Backup and Secure Restore
This method uses YARA rules to check recovery points. This check can:
- Identify the last healthy restore point.
- Detect infected files during recovery
If infection is confirmed, the status is recorded as “Infected.”
Scan Backup and Secure Restore with Veeam Threat Hunter
This method is signature-based and detects known threats based on a database of signatures. If malware is detected, the recovery point is marked as infected.
Using a third-party antivirus
In this case, the user-selected antivirus engine is used when restoring or scanning the backup. The scan result can indicate the infection status of the Restore Point.
Veeam Incident API
This feature allows for integration with other security solutions. If an external security system detects a threat, it can communicate the result to Veeam via an API so that the recovery point can be marked as infected.
How to check the results
If a scan result is “suspicious,” it means there is unusual behavior and not necessarily a definite infection. In such cases, additional investigation should be performed:
- Encrypted files should be examined with more detailed analytical tools.
- Onion links or ransomware notes require rules-based analysis.
- Details of file changes, deletions, and intrusion indicators are recorded in the backup server log files.
New features in version 13
Proactive Investigation
This feature automatically checks for suspicious items with signature-based scanning. If no threats are found, the Restore Point is marked as “clean.” This feature reduces the need for manual review and speeds up decision-making.
Recon Scanner integration
The Recon Scanner tool, previously offered separately, is now available integrated into the platform, enabling more advanced threat analysis.
Conclusion
Version 13 offers a full suite of malware detection methods that work both during and after backup. These methods range from behavioral and entropy analysis to signature-based scanning and integration with other security tools. Features like Proactive Investigation also make the process of identifying and managing threats more automated and efficient
add a comment
Download PA-VM-ESX-11.1.6-h7 Palo Alto VM Firewall
Organizations moving toward virtual infrastructure still need strong perimeter and internal network protection. The PA-VM-ESX-11.0.0 OVA provides a ready-to-deploy virtual...
VMware ESXi Vulnerability Actively Exploited in 2026 — Patch Guidance for Admins
A serious security concern is dominating virtualization news this month as a critical flaw affecting VMware ESXi servers has begun...
NetworkManager 1.56 Released with WireGuard Peer Management in nmcli
Overview The widely used Linux networking service NetworkManager has introduced version 1.56, bringing a mix of functional improvements, policy refinements,...
IPFire Introduces Community-Driven DBL for Domain Blocking
IPFire has introduced IPFire DBL (Domain Blocklist), a new community-driven filtering platform designed to give administrators greater control over network...
