Veeam v12.1 Malware Detection and YARA

Great to be attending the #Veeam100Summit in Prague where the 100 best Veeam engineers come together with the Veeam product team to discuss the next steps in backup technology. Today’s hot topic is Veeams new v12.1 feature allowing for inline malware detection and YARA rule scanning of backup data. To really add emphasis to the fact that backups are critical to any companies cyber security estate, we’ve spent a massive chunk of time this morning discussing new malware detection into Veeam Backup & Replication 12.1.

Veeam Availability Suite 12.1

Talking about Inline Malware scan feature coming out in VBR v12.1 coming out before end of year. VBR is improving its way to detect Ransomware on their backup or customer data.

A lot of interest and discussion, particularly around the new Malware detection systems.

  • Inline scanning which analyses file system between backup runs % encrypt, change rates etc.,
  • Incident API,
  • YARA rules and more..


v12.1 – Inline Detection:

Inline ransomware scan: Analyse block-level data during backup (encryption analysis and text analysis).

Veeam Availability Suite 12.1

Encryption analysis : During a backup, collecting TON of metadata, using magic tool and detecting various stat numbers.
After backup, put all in backup’s malware detection metada file Compare this and previsous malware detection metadata.

Analysis: Delta size between runs. Encryption: High-encryption blocks count (50%+ encryption). Continuous encryption. Size of compressed data (LZMA). Magic decrement and encryption. Cross-s correlation between magic and encryption. Malicious content presence (text analysis data).

Keep in mind, high level combo changes = malware event.

Veeam Availability Suite 12.1

Find Encrypted Data Via Entropy Analysis:

  • AI / ML model running on proxies,
  • Detects encrypted data during backup,
  • 5 sensitivity levels,
  • Marks backup “suspicious” if positive,
  • Requires full read after activation to learn “base line”,
  • Note: 25/30% of CPU load on proxy server (consommation). Ransomware index stored in VBRcatalog (index location).

Veeam Availability Suite 12.1

How Encryption Detection Works:

During backup:

  • Collect metadata & statistics,
  • “Magic” value calculation.
  • After backup:

  • Store malware metadata file in VBRcatalog,
  • Compare current & previous malware metadata.
  • AI / ML Decision Factor:

  • Cross-correlation between current & historic values,
  • High score of combined values = suspicious.
  • Example values for calculations:

    • Incremental backup size,
    • Encryption (absolute size & percent),
    • Compression,
    • Magic decrement (removed data),
    • Magic encryption (newly encrypted data),
    • Ransom notes found (explanation next section).

    Veeam Availability Suite 12.1


    VBR v12.1 is now comes with Malware Detection built in. YARA integration, SureBackup scanning without the complexity, on demand scans. Integration with a Incident API to trigger instant backups.


    Finding Malware Binaries with antivirus and YARA scans:

    YARA rules for backups is really cool for more than just emerging malware. Chase down compliance leaks etc.

    Yara rules (video) classify and identify malware samples by creating descriptions of malware families (it is a tool used to identify files, based on textual or binary pattern). YARA rules are like a piece of programming language, they work by defining a number of variables that contain patterns found in a sample of malware. If some or all of the conditions are met, depending on the rule, then it can be used to successfully identify a piece of malware.

    Veeam Availability Suite 12.1

    New ways to detect bad things..

    YARA.exe FilePath + myRule.yar
    YARA rules for backups is really cool for more than just emerging malware. Chase down compliance leaks etc.

    Creating Yara rules to search for artifacts, using the Mandiant IOC collector to save different IOCs with AND/OR conditions, and using Redline to search for the IOCs collected by the Mandiant IOC collector within a disk/memory.

    Steps order:

    1) Import Module – Yara modules allow you to extend its functionality. The PE module can be used to match specific data from a PE.
    2) Rule Name – The rule name identifies your Yara rule. It’s recommended to add a meaningful name.
    3) Metadata – Rules can also have a metadata section where you can put additional information about your rule.
    4) Strings – The field strings is used to define the strings that should match your rule. It exists 3 type of strings: Text strings, Hexadecimal strings and Regex.
    5) Condition – Conditions are Boolean expressions used to match the defined pattern.

    Note: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules – place rules there.

    Use Cases:

    YARA has proven to be extremely popular within the infosec community, the reason being is there are a number of use casesfor implementing YARA:

    • Identify and classify malware,
    • Find new samples based on family-specific patterns,
    • Incident Responders can deploy YARA rules to identify samples and compromised devices,
    • Proactive deployment of custom YARA rules can increase an organization’s defenses.

    Automated Malware & Content Scans via SureBackup (without Virtual Labs):

    • Antivirus and / or YARA scan,
    • No virtual lab configuration!
    • Scan entire backup job (exclusions possible) or specific machines,
    • Scan happens on mount server.

    Veeam Availability Suite 12.1

    Scan happens on mount server:

    Veeam Availability Suite 12.1

    On-Demand Scan For Malware & Content:

    Find the last clean restore point” scans sequentially through the backup chain… last backup, second last backup etc.

    Range-scan has a nice feature: binary search… start scan at the middle date (if you have 9 restore points, start with restore point number 5) and see whether it finds something. Then continue with other half and so on.

    Veeam Availability Suite 12.1

    Veeam Availability Suite 12.1


    Wasabi Object Storage new features: Blog Post
    VUG Fr Day in Monaco Recap
    Detection & Response to Ransomware with Veeam: Blog Post
    Offline versus Immutable Backups: Blog Post
    Cuba ransomware and Veeam CVE-2023-27532: Blog Post
    Akira ransomware infection routine: Blog Post
    2023 Ransomware Trends Report
    Play ransomware infection routine: Blog Post
    New Veeam v12 Platform Overview: Blog Post
    Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
    Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
    VeeaMover in v12: Blog Post
    Ransomware & Cybersecurity with Veeam v12: Blog Post
    Why backup directly to Object Storage? Blog Post
    Veeam B&R v12 New Features Overview: Blog Post
    [REPLAY] Webinar Veeam v12 and Wasabi: Replay
    Protect your data with Veeam and Wasabi: Blog post
    Wasabi – Object Lock feature spotlight: Blog post
    Veeam and the S3-compatible object storage solutions: Blog Post
    [PODCAST] VeeamUser Group France #1: Record
    Conti initiates their attacks on Backup: Blog Post
    Backup with Trusted Repository Storage: Blog Post.
    Protect your Backup against Ransomware: Blog Post

    Please follow and like us:

    Enjoy this blog? Please spread the word :)