What is Inline Entropy Analysis in Veeam Backup and Replication 12.1

Veeam Backup and Replication 12.1 introduced an interesting feature. This feature is called Encryption Detection and it is an Inline entropy analysis that uses Artificial Intelligence and Machine learning (AI/ML) to detect previously unencrypted data which becomes encrypted within the processed disk images. This shows that you possibly starting to be a victim of a ransomware attack. The Inline Entroyp Analysis does analyze the data on the fly during backups.

This encryption (if any), as it progresses more and more within your network, will put down more and more systems. The detection of the beginning of encrypted data is a key element within your protection against ransomware. The Inline entropy analysis as well as the Suspicious activity detection features are good help to fight ransomware and make sure you're not backing up already half-corrupted systems.

Note: By default, the Encryption detection is unchecked. The suspicious activity detection is checked.

Click OK to validate.

You'll receive a pop-up message saying that the inline entropy analysis requires reading the entire disk image to establish a baseline. This is only happening once. And that the CBT won't be used on the next run of each backup job, but without impacting size.

Note: if you haven't filled an email notification within the settings (3rd tab from the left), the system will warn you about it because it needs an email to send the results.

The notification settings looks as follows:

From Veeam's documentation:

To scan blocks in a data stream, Veeam Backup & Replication uses file entropy analysis. During the backup job, the following malware activity can be detected:

Files encrypted by malware. A malware detection event will be created if the amount of encrypted data exceeds scan sensitivity limits.
Text artifacts created by malware:
- V3 onion addresses that consist of 56 symbols in the [a-z2-7]{56}.onion format. For example, vykenniek4sagugiayj3z32rpyrinoadduprjtdy4wharue6cz7zudid.onion. A malware detection event will be created if at least one onion address is found.
- Ransomware notes created by Medusa and Clop. A malware detection event will be created if at least one ransomware note is found.

Which type of VMs (or systems) are scanned with Veeam Intropy Analysis?

VMware VMs including VMware Cloud Director VMs
Hyper-V VMs
Machines with Veeam Agent for Microsoft Windows operating in the managed mode (volume-level backup only)
Machines backed up to tape devices

The following file systems are supported: NTFS, ext4, ext3, ext2.

How It Works?

During the backup job, Veeam Backup & Replication analyzes data blocks metadata and saves ransomware data in the temporary folder on the backup proxy.

A file in the RIDX format is created for each disk and contains the following information:

Disk metadata (disk name, creation time, disk size, used size, sector size, partition table)
Ransomware data for each data block (the amount of encrypted data, anomalous magic numbers of file types, onion addresses and ransomware notes)

NOTE:

If LZMA headers are found, they will be excluded from encrypted data calculation to decrease the number of false-positive events.

When the backup job is complete, ransomware data is saved in the VBRCatalog folder on the backup server. The Veeam Guest Catalog Service notifies the Veeam Data Analyzer Service about new data that need to be scanned. The Veeam Data Analyzer Service checks last scan results in the RansomwareIndexAnalyzeState.xml file located in the VBRCatalog folder and initiates a new scan session. The scan session is also initiated if the Veeam Data Analyzer Service gets new indexing data after the service starts.

Screenshot from the lab.

After activation, you'll see that during the first backup, the system needs to read the whole disks to collect malware detection metadata.

And this is the screenshot after backup taken (different, smaller VM from the lab).

The Veeam Data Analyzer Service compares the last and previous RIDX files and updates the RansomwareIndexAnalyzeState.xml file. If malware activity is detected, the service will create a malware detection event and mark objects as Suspicious. If the previous RIDX file is not found, the Veeam Data Analyzer Service will perform a full disk read operation to create a RIDX file. In this case, the job session will last longer than usual but the size of the incremental backup file will not be affected. A full disk operation will also be performed if you add a new disk to the VM.

Example from the lab by “infecting” my domain controller VM…. (created a text file with a code that looks like suspicious …)

Final Words

The inline entropy analysis feature is a powerful and innovative tool that enhances the security and reliability of your backup data. It can help you detect and prevent ransomware attacks and minimize the impact of data loss and downtime. It is one of the reasons why Veeam Backup & Replication is a leading software in the data protection industry.