How YARA Scan Works
During the secure restore, YARA scan works in the following way:
- On the mount server, Veeam Backup & Replication runs the Veeam Mount Service to perform the following steps:
- Mount machine disks from backups to the mount server under the C:\VeeamFLR\<machinename> folder.
- Initiate a new scan session.
- If malware activity is not detected, Veeam Backup & Replication will restore the machine to the target location. The malware detection event will not be created.
- If malware activity is detected, Veeam Backup & Replication will perform the following steps:
- Abort the restore process or restore the machine with restrictions depending on secure restore settings.
- Create the malware detection event and mark objects as Infected.
If you do not want to create a malware detection event for a YARA rule, you can add a SuppressMalwareDetectionNotification tag to the name of the rule. For example:
rule SearchFileHash : SuppressMalwareDetectionNotification |
In this case, the malware detection event will not be created but the restore session will be finished with the Warning status.