Malware detection methods in Veeam Backup & Replication 13

Veeam Backup & Replication version 13 (for Linux Appliance and Windows) includes significant improvements in malware detection compared to version 12.3, and several new features have been added. The different malware detection methods in this version, although different in function and purpose, can be used in combination to increase the level of security. These methods provide different results depending on when they are run (during backup or after) and the type of analysis.

The role of malware detection capabilities

Malware detection is a key part of the security and anti-ransomware mechanisms in this release. However, it should be noted that these capabilities are designed more to detect infections after they occur and are not a replacement for proactive security solutions. For complete protection, different layers of security should be used simultaneously.

Malware detection methods fall into two main categories:

1. Detection during backup (Inline)
In this method, data is checked during processing and transmission, and an alert is issued if suspicious behavior is observed.

2. Post-Processing Detection
In this case, the saved restore points are analyzed to identify infections that may not have been active at the time of the backup.

Different methods of malware detection

In version 13, several methods are available for detecting threats:

Guest Indexing Data Scan

This method checks file system activity during backup. Things like:

  • Suspicious files
  • Change file extensions
  • Bulk deletion of files
  • Unusual characters in the file structure

If these cases are identified, a “suspicious” status is recorded.

Inline Scan (Entropy Analysis)

In this method, data blocks are analyzed for their entropy level. An abnormal increase in entropy can be a sign of extensive encryption by ransomware. Onion links and ransomware notes can also be identified. The result of this check will also usually be “suspicious.”

YARA-based Scan Backup and Secure Restore

This method uses YARA rules to check recovery points. This check can:

  • Identify the last healthy restore point.
  • Detect infected files during recovery

If infection is confirmed, the status is recorded as “Infected.”

Scan Backup and Secure Restore with Veeam Threat Hunter

This method is signature-based and detects known threats based on a database of signatures. If malware is detected, the recovery point is marked as infected.

Using a third-party antivirus

In this case, the user-selected antivirus engine is used when restoring or scanning the backup. The scan result can indicate the infection status of the Restore Point.

Veeam Incident API

This feature allows for integration with other security solutions. If an external security system detects a threat, it can communicate the result to Veeam via an API so that the recovery point can be marked as infected.

How to check the results

If a scan result is “suspicious,” it means there is unusual behavior and not necessarily a definite infection. In such cases, additional investigation should be performed:

  • Encrypted files should be examined with more detailed analytical tools.
  • Onion links or ransomware notes require rules-based analysis.
  • Details of file changes, deletions, and intrusion indicators are recorded in the backup server log files.

New features in version 13

Proactive Investigation

This feature automatically checks for suspicious items with signature-based scanning. If no threats are found, the Restore Point is marked as “clean.” This feature reduces the need for manual review and speeds up decision-making.

Recon Scanner integration

The Recon Scanner tool, previously offered separately, is now available integrated into the platform, enabling more advanced threat analysis.

Conclusion

Version 13 offers a full suite of malware detection methods that work both during and after backup. These methods range from behavioral and entropy analysis to signature-based scanning and integration with other security tools. Features like Proactive Investigation also make the process of identifying and managing threats more automated and efficient

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

dxdiag command in windows
Symantec Endpoint Protection Manager
Symantec Endpoint Protection Manager 14.3.0 RU10
THE NEW CYBERSECURITY FOR BEGINNERS AND DUMMIES
password complexity in Windows Server 2022
How to remove password complexity in Windows Server 2022