Protecting your data is paramount in today’s cybersecurity landscape, especially when ransomware threats are constantly evolving. Following frameworks like the NIST Cybersecurity Framework is crucial, and a cornerstone of this framework is robust data protection. Secure backups, whether on-premises or in the cloud, offer a vital layer of defense against data breaches and ransomware attacks. Beyond just having backups, the ability to rapidly recover and ensure those backups are clean is equally critical. While dedicated ransomware detection tools are essential, your backup solution can also play a crucial role in verifying the integrity of your recovery points.
Alt text: NIST Cybersecurity Framework highlighting Protect, Detect, and Recover pillars for data security, emphasizing backup’s role in ransomware defense.
Veeam SureBackup: Your Built-in Ransomware Scan Tool
Gartner recommends incorporating backup scanning into an Isolated Recovery Environment, and Veeam addresses this directly with SureBackup. This feature isn’t just about verifying backups for recoverability; it also functions as a valuable ransomware scan tool. Veeam SureBackup automatically assesses backup health, ensuring that when you need to restore, you’re not re-injecting dormant malware or ransomware into your production environment. This proactive approach saves significant time and mitigates potential disaster during recovery.
SureBackup achieves this through several key mechanisms. It can scan the contents of your backups for malware and ransomware using a variety of industry-standard antivirus solutions. Furthermore, it performs CRC (Cyclic Redundancy Check) tests to guarantee backup integrity. The flexibility of SureBackup is a major advantage – it’s compatible with any scanning tool that utilizes a Command Line Interface (CLI). Popular choices like Trend Micro, Bitdefender, and Windows Defender can be seamlessly integrated. Configuration is straightforward; you can easily specify your preferred scanner by editing a simple XML file as detailed here. In my setup, I’m utilizing ESET for robust malware detection.
Alt text: Veeam SureBackup job configuration interface showing options to customize backup verification and ransomware scanning settings for enhanced data protection.
By linking SureBackup jobs to your daily backup policies, you gain the assurance that your backups are not only complete but also regularly inspected for threats. SureBackup’s capabilities extend beyond malware scanning. It can be configured for comprehensive Disaster Recovery (DR) testing, allowing you to verify VM network connectivity in a restored environment and incorporate custom scripts for advanced testing. While this article focuses on its ransomware scanning capabilities, SureBackup offers a wide array of verification options.
Alt text: Veeam SureBackup configuration highlighting the test scripts section for advanced backup verification and customization during automated recovery testing.
The results of each SureBackup job are readily accessible within the Veeam Backup & Replication UI task log and can also be delivered via email reports. The UI provides a clear overview of scan durations and outcomes. As shown below, a malware scan might take around 12 minutes, while a CRC test completes in under a minute. This not only satisfies compliance requirements for regular backup testing but also provides invaluable peace of mind regarding your data’s recoverability and security.
Alt text: Veeam SureBackup job results in the user interface showing scan duration and successful completion of malware and CRC tests for backup verification.
Email notifications can be configured within SureBackup to keep stakeholders informed about backup verification results. These reports can be sent to distribution groups or individual email addresses, ensuring timely awareness of backup health.
Scaling Ransomware Scanning for Enterprise Environments
For larger organizations, implementing SureBackup effectively involves strategic scheduling. A recommended approach is to run weekly SureBackup jobs on a selection of critical VMs within each backup policy. Staggering these jobs throughout the week, for instance, by creating a dedicated SureBackup job for each backup policy and distributing them across weekdays, helps balance the load on the server used for mounting backup files.
To further enhance performance and accelerate scan times, consider leveraging multiple servers for mounting backup files, assuming you have sufficient compute resources. This allows for parallel scanning of multiple backups, significantly reducing the overall verification window and optimizing your ransomware detection process.
Conclusion: Backup Scanning as a Critical Defense Layer
Ransomware defense is a frequent topic in cybersecurity discussions. However, it’s crucial to recognize that relying solely on your backup vendor for primary ransomware detection is a risky strategy. While backup solutions like Veeam should absolutely offer ransomware detection capabilities as a secondary measure, a holistic security approach requires dedicated, specialized ransomware detection tools and strategies. Think of backup scanning as a vital last line of defense.
The primary focus of your backup solution should remain on providing secure, rapidly recoverable copies of your data. After all, the most sophisticated ransomware detection is inconsequential if you cannot swiftly restore a clean, safe backup. Veeam SureBackup empowers you to proactively verify the integrity of your backups and adds a crucial layer of ransomware scanning, enhancing your overall data protection strategy.
Automating Backup Scans with PowerShell Scripting
For users who prefer automation and scripting over graphical interfaces, Veeam offers powerful PowerShell cmdlets to manage SureBackup jobs. You can easily integrate the following script into your backup policies using the post-script option.
First, connect to your Veeam backup server:
Add-PSSnapin VeeamPSSnapin -ErrorAction SilentlyContinue
Connect-VBRServer -Server "servername"Next, define variables for the VMs you intend to scan. Modify the VM name and the target server details according to your environment:
$restorepoint = Get-VBRRestorePoint -Name "VMname" | Sort-Object -Property CreationTime -Descending | Select-Object -First 1
$targetServerName = "servername"
$targetAdminCredentials = Get-VBRCredentials -name "credentials" | where {$_.description -eq "description"}
$restorepoint = Get-VBRRestorePoint -Name "ATLNIMBLE_WIN" | Sort-Object -Property CreationTime -Descending | Select-Object -First 1With variables configured, mount the VM to the designated server:
$session = Publish-VBRBackupContent -RestorePoint $restorepoint -TargetServerName $targetServerName -TargetServerCredentials $targetAdminCredentialsThe following PowerShell command demonstrates how to use ESET to scan the mounted disks and output the scan results to “ecls.txt.” The “&” symbol allows execution of CLI commands within PowerShell. The mount point will always be under C:VeeamFLR:
& "C:Program FilesESETESET Securityecls.exe" /base-dir="C:Program FilesESETESET SecurityModules" /subdir "C:VeeamFLR" /log-file=c:ecls.txt /aind /unsafe /unwanted /suspicious /clean-mode=standardFinally, unmount the server and complete the script execution:
Unpublish-VBRBackupContent -Session $sessionFor a consolidated script execution, combine all commands:
$restorepoint = Get-VBRRestorePoint -Name "VM-name" | Sort-Object -Property CreationTime -Descending | Select-Object -First 1
$targetServerName = "servername"
$targetAdminCredentials = Get-VBRCredentials -name "creds" | where {$_.description -eq "description"}
$session = Publish-VBRBackupContent -RestorePoint $restorepoint -TargetServerName $targetServerName -TargetServerCredentials $targetAdminCredentials
& "C:Program FilesESETESET Securityecls.exe" /base-dir="C:Program FilesESETESET SecurityModules" /subdir "C:VeeamFLR" /log-file=c:ecls.txt /aind /unsafe /unwanted /suspicious /clean-mode=standard
Unpublish-VBRBackupContent -Session $session