Performing YARA Scan

To perform the YARA scan during the restore session, do the following at the Secure Restore step of the restore wizard:

1. Enable the Scan the restore point with the following YARA rule option.
2. Specify the YARA file located in the Veeam Backup & Replication product folder. The path by default: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules. The YARA file must have the .yara or .yar extension. For more information on how to create a YARA rule, see YARA documentation.
3. Specify the behavior scenario if malware activity is found. For more information about available options, see the following sections:

• Secure Restore settings for Instant Recovery
• Secure Restore settings for Entire VM Restore
• Secure Restore settings for Disk Export
• Secure Restore settings for Restore to Microsoft Azure
• Secure Restore settings for Restore to Amazon EC2
• Secure Restore settings for Restore to Google Compute Engine

4. If you want to continue the YARA scan after the first malware is found, select the Continue scanning all remaining files after the first occurrence (Scan the entire image – before Veeam Backup & Replication 12.1 (build 12.1.0.2131)) check box.

Note that if the YARA rule is not found, Veeam Backup & Replication will display a warning. In that case, to pass the step with secure restore settings, you can do one of the following:

• Check if the YARA file is located in the Veeam Backup & Replication product folder, has the proper syntax and the .yara or .yar extension.
• Clear the Scan the restore point with the following YARA rule option.
• Use the antivirus scan. For more information, see Antivirus Scan for Secure Restore.