Skip to main content

Veeam V10 Data Re-use: Part 2 - Security Analysis

Veeam V10 Data Re-use (Security Analysis)

So, this is a Continuation of Blog post PART 1 of Data Re-use blog series, Part one   Here  addressed Data Classification with Veeam Re-Use API.

Security Analysis

I Don’t need to stress the importance of security in infrastructure and its utmost importance in securing backup data. Backup data has been a key target for hackers and ransomware syndicates in because of this we must ensure that our backups are secure and hold no vulnerabilities.
Most cases Only backup infrastructure is hardened and what is overlooked is data contained within backup aka the backup data.

Why is this important?

Antivirus in most cases is Reactive rather than proactive, Virus & malware definitions are only updated with new signatures once a new virus or malware has been discovered, in most cases this can prevent customers ho haven’t been infected yet by new strain to avoid this & customers who have been infected to identify the  strain that has been un-detected with new signature.

Why Backup?

I pose a simple Question, your AV product from 5 years ago with signatures relevant 5 years ago would be completely ineffective right now !  This is the extreme a signature from a month ago would not be able to detect latest exploits today. I hope I’ve got the point across here.

So… if I have a server running AV and we backup that server on Monday , Tuesday a patch is released to fix a bug or to update virus signatures to find new virus or malware exploits , by late Tuesday or Wednesday your server secure as it was patched or scanned with new signature..

But what about the data captured in backup?

This speaks to Day Zero exploits as depicted here below:

So, what are your options?

Veeam released a great feature called Secure restore that will mount a backup and run a AV scan with most UpToDate Signature against historical data in backup during the restore process, ensuring that data is secured before placing it back in production. 
But as you know AV scans can take time and thus impacting your restore time objectives RTOs from seconds/minutes to hours/days.
I don’t think I need to explain the business impact here...

Veeam Data Re-Use APIs

So how do we close the Gap, in V10 Veeam release , Veeam added Data Re-use API ! 
More can be read here:

By automating the mount of Historical backup data and running AV scans against what lies in backup we can ensure our backup data sets are secure so there are no vulnerabilities when restoring data back into production.

So let’s start, I won’t explain too much around the Data Re-use commands as they have been covered in the above links.   
On My backup server I ran the following in PowerShell to publish backup data so that I can then scan data within:

My Script:

#Load the Veeam PowerShell Snapin
Add-PSSnapin VeeamPSSnapin

#Connect to the Backup server

Connect-VBRServer -Server "veeam" -User "Administrator" -Password "****"

#Specify the backup Point to be used in Publish

$point = Get-VBRBackup -Name "Vm test Data" | Get-VBRRestorePoint -Name "windev2001eval" | Sort-Object $_.creationtime -Descending | Select -First 1

#Specify the Credentials for the Filesystem Os being mounted

$creds = Add-VBRCredentials -User "windev2001eval\Administrator" -Password "****"

#Publish ( Mount the Backup ) Target server is the backup server

Publish-VBRBackupContent -RestorePoint $point -TargetServerName "veeam" -TargetServerCredentials $creds

At this point I then Initiate Scan with Windows Defender (you could you CLI from any AV product I chose Ms AV in this test) 

More information on Commands with:

I used Defender Here :

Start-MpScan -ScanPath "C:\VeeamFLR" -ScanType fullscan

This will start Scan and scan for all content in FLR directory which is root of all mounts thus scanning the entire system mounted without having to specify Unique Mount folder within FLR directory

Here we can see scan has begun , this can also bee seen if you pen Defender GUI 

Once the Scan completes, we will then run the following command to find if any threat results:


Here is the output:

At this point I can Un-mount / Un-publish the backup/s 

$session = Get-VBRPublishedBackupContentSession

Unpublish-VBRBackupContent -Session $session -RunAsync

Hope this was easy enough to follow & assist with security analysis of what you currently hold within backup.

See Part 3

Please leave a comment, share or like
Thank you for reading