How YARA Scan Works

During the secure restore, YARA scan works in the following way:

  1. On the mount server, Veeam Backup & Replication runs the Veeam Mount Service to perform the following steps:
    1. Mount machine disks from backups to the mount server under the C:\VeeamFLR\<machinename> folder.
    2. Initiate a new scan session.
  1. If malware activity is not detected, Veeam Backup & Replication will restore the machine or its disks to the target location. The malware detection event will not be created.
  2. If malware activity is detected, Veeam Backup & Replication will perform the following steps:
    1. Abort the restore process or restore the machine or its disks with restrictions depending on secure restore settings.
    1. Create the malware detection event and mark objects as Infected.

If you do not want to create a malware detection event for a YARA rule, you can add a SuppressMalwareDetectionNotification tag to the name of the rule. For example:

rule SearchFileHash : SuppressMalwareDetectionNotification

In this case, the malware detection event will not be created but the restore session will be finished with the Warning status.

You can further access the restored machine or its disks in the isolated environment and clean the infection.

Page updated 3/7/2024

Page content applies to build 12.3.0.310