Performing YARA Scan
To perform the YARA scan during the restore session, do the following at the Secure Restore step of the restore wizard:
- Enable the Scan the restore point with the following YARA rule option.
- Specify the YARA file located in the Veeam Backup & Replication product folder. The path by default: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules. The YARA file must have the .yara or .yar extension. For more information on how to create a YARA rule, see YARA documentation.
- Specify the behavior scenario if malware activity is found. For more information about available options, see the following sections:
- Secure Restore settings for Instant Recovery
- Secure Restore settings for Instant Disk Recovery
- Secure Restore settings for Entire VM Restore
- Secure Restore settings for Virtual Disk Restore
- Secure Restore settings for Disk Export
- Secure Restore settings for Restore to Microsoft Azure
- Secure Restore settings for Restore to Amazon EC2
- Secure Restore settings for Restore to Google Compute Engine
- If you want to continue the YARA scan after the first malware is found, select the Continue scanning all remaining files after the first occurrence (Scan the entire image – before Veeam Backup & Replication 12.1 (build 12.1.0.2131)) check box.
Note that if the YARA rule is not found, Veeam Backup & Replication will display a warning. In that case, to pass the step with secure restore settings, you can do one of the following:
- Check if the YARA file is located in the Veeam Backup & Replication product folder, has the proper syntax and the .yara or .yar extension.
- Clear the Scan the restore point with the following YARA rule option.
- Use the antivirus scan. For more information, see Antivirus Scan for Secure Restore.