Veeam Backup and Replication 12.1 will bring some exciting and big new features that we'll be talking about today. Have you ever wanted to be sure that your backup files are not infected, you want to investigate when/before restoring or restoring without actually restoring. Here is something you'll like. Inline detection is a new feature that detects ransomware. The ransomware can be detected as soon as the first backup file is encrypted by ransomware. We'll dive into details in this post, as well as other features that are part of the Veeam Backup and Replication 12.1.
Note: Please note that this post is hot off the press so there might be some imperfections, or things that I have miss-interpret during the presentation. But yeah, don't hesitate to comment!
When the backup is running, Veeam is already scanning the files, when the proxy reads the data from the production workloads. During the backup, Veeam collects some data that helps to detect ransomware. They collect raw numbers that could signal that your systems are
When the block of data is collected by the proxy, some data are collected. During the next day's backup, if there are some size differences, the number of files increases, how much of the space is encrypted, and how much of the encryption is spread across the volumes. Those data give an index that plays a role for the next backups. The next day's backup will use the index and see that there is something going on (95% of increments are encrypted, some volumes are getting encrypted etc…)
Note: Once Veeam 12.1 is installed (upgraded) the incremental backup right after the upgrade will take a bit longer to execute because the malware engine must read the whole full system.
Index Scan
There are 4K+ predefined extensions already in the system. You can add more extensions manually.
For unknown malware extensions, the system looks for lots of changed files between two indexes. (each run there is a new index saved).
What if some files are deleted? Veeam can help too because Veeam knows 140+ extentions that they are about. When more than like 25 percent of files are changed, then an alarm is triggered. Or a 25 files changed per extension.
The index scan will consume more system CPU (over 25% more CPU). Also during comparing the two indexes.
Index Scan System Requirement:
- VMware (+VCD), Hyper-V Windows + Linux
- Managed by server VAW (+Cloud Native WAW) and standalone Veeam Agent for Windows
Incident API
This is an external API that can detect the malware report it back and raise the alarm in Veeam Backup and Replication.
YARA tool
This is a new way to detect things….
This tool is able to detect some stuff. Yara can search for different rules, for tracers of credit cards. Yara can combine many Yara tools into a single file.
The yara.exe tool can be used for searching for bad things, or for credentials in my backups, in PDF files, very flexible. Yara is not a replacement for your AV tool, but if you need to find something concrete. Some exact word or something you know you're looking for, this is the way to use YARA.
You can search your mounted backup files, offline.
New SureBackup Operation Mode
It does not require virtual labs (that are complex to set up the networking, masquerading, etc….). You'll have options to scan with YARA, AV, etc…. without virtual labs!!!! Easier.
New On-demand operation Scan Backup
You still have to have a sure backup job in content operation mode. The on-demand operation does not require a sure bacup. You'll be able for exemple the latest clean backup. Veeam will scan the recent restore points and pick the latest clean restore point.
Another case is when someone says that let's say, they've been within your infrastructure for a long time (several months). Veeam can search latest clean backup, but different way (via binary split).
And last case. When someone detects a data leak that has been spread. When you need to find a specific file in all your backup restore points to find this file.
False Positive
General Option
Encryprion detection, you can use low, normal or extreme sensitivity.
We know that this post is not complete and that many questions have been left unanswered. I'll try to update this post ASAP when new information gets to me or when I get access to more information.
During Veeam100 in Prague, this session went fairly quickly, and taking pictures, blogging in real time, and doing a good job just did not work together well. So my apologies for that. Stay tuned for more on Veeam Backup and Replication 12.1.
The 12.1 release should be out by the end of the year 2023.
Veeam 12.1 Installation video -:).
More about Veeam on ESX Virtualization Blog:
- Your repository is full – How to move your backups to another repository with Veeam backup?
- What is Veeam VHR and how to quickly install and create hardened repository?
- Veeam Backup for Microsoft 365 v7 Released
- Veeam Bare Metal Recovery Without using USB Stick (TIP)
- Veeam VMCE – Why become Veeam Certified Engineer?
- Veeam Backup and Replication v12 – news from Barcelona 2022
- Veeam Backup for AWS – FREE backup of 10 instances
- Veeam Backup for Microsoft 365 v6a – What’s New?
- Veeam Backup for Google Cloud Platform – FREE 10 instances backup
- Veeam Immutable Backups – Your protection against Ransomware
- Veeam Backup and Replication 12 (Beta2) Installation
- Veeam Backup and Replication 12 (BETA) – adding Hardened Linux Repository
- Quickly setup a Veeam immutable repository via this GitHub Script
More posts from ESX Virtualization:
- VMware vSphere 8.0 U2 Released – ESXi 8.0 U2 and VCSA 8.0 U2 How to update (NEW)
- What’s the purpose of those 17 virtual hard disks within VMware vCenter Server Appliance (VCSA) 8.0?
- VMware vSphere 8 Update 2 New Upgrade Process for vCenter Server details
- VMware vSAN 8 Update 2 with many enhancements announced during VMware Explore
- What’s New in VMware Virtual Hardware v21 and vSphere 8 Update 2?
- Homelab v 8.0
- vSphere 8.0 Page
- Veeam Bare Metal Recovery Without using USB Stick (TIP)
- ESXi 7.x to 8.x upgrade scenarios
- A really FREE VPN that doesn’t suck
- Patch your ESXi 7.x again
- VMware vCenter Server 7.03 U3g – Download and patch
- Upgrade VMware ESXi to 7.0 U3 via command line
- VMware vCenter Server 7.0 U3e released – another maintenance release fixing vSphere with Tanzu
- What is The Difference between VMware vSphere, ESXi and vCenter
- How to Configure VMware High Availability (HA) Cluster
Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)