Performing YARA Scan
To perform the YARA scan during the restore session, do the following at the Secure Restore step of the restore wizard:
- Enable the Scan the restore point with the following YARA rule option.
- Specify the YARA file located in the Veeam Backup & Replication product folder. The path by default: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules. The YARA file must have the .yara or .yar extension. For more information on how to create a YARA rule, see YARA documentation.
- Specify the behavior scenario if malware activity is found. For more information about available options, see the following sections:
- Secure Restore settings for Instant Recovery
- Secure Restore settings for Instant Disk Recovery
- Secure Restore settings for Entire VM Restore
- Secure Restore settings for Virtual Disk Restore
- Secure Restore settings for Disk Export
- Secure Restore settings for Restore to Microsoft Azure
- Secure Restore settings for Restore to Amazon EC2
- Secure Restore settings for Restore to Google Compute Engine
- If you want to continue the YARA scan after the first malware is found, select the Continue scanning all remaining files after the first occurrence check box.
Note that if the YARA rule is not found, Veeam Backup & Replication will display a warning. In that case, to pass the step with secure restore settings, you can do one of the following:
- Check if the YARA file is located in the Veeam Backup & Replication product folder, has the proper syntax and the .yara or .yar extension.
- Clear the Scan the restore point with the following YARA rule option.
- Use Veeam Threat Hunter or third-party antivirus sofware. For more information, see Veeam Threat Hunter for Secure Restore and Antivirus Scan for Secure Restore.