Recon 2.1 Scanner
User Guide

Recon 2.1 Scanner - User Guide

Background

Recon 2.1 is Coveware by Veeam’s forensic triage utility. It comes equipped with a proactive function, Scanner, which gathers the critical data required for an efficient and thorough review of security configurations of both Windows and Linux hosts, including hosts running Veeam Backup & Replication. Scanner will gather and report on both related MITRE ATT&CK events and Coveware Ransomware Risk Index (RRI) events.

Scanner is a proactive and persistent tool. It is configured to run as a daily scheduled task on Windows and Linux hosts. This data is subsequently uploaded to Coveware’s portal where high risk activity can be quickly reviewed alongside expected behavioral trends.

Scanner is available for VDP-P customers in the Products section of the My Account page. Scanner can be installed on up to 5 different servers, including backup servers, proxy servers, domain controllers, or gateway servers.

After activating Scanner from My Account, an email will be sent to the user to set up an account on Coveware’s portal. Once logged into Coveware’s portal, the user can download Recon or add/manage additional users.

Users will receive email notifications with a summary of their Scanner events. These notifications can be changed under the user’s account name.

When a host is scanned and uploaded, they will appear in the Overview. If a host has not been uploaded in 7 days, an alert on the endpoint will appear so the user can investigate.

What’s Included

Coveware Recon 2.1 is packaged with the following files:

  • recon.exe – a 64-bit executable for Windows hosts
  • recon – a binary for Linux hosts
  • config.dat – a client-specific configuration file that includes result upload credentials and a hardcoded run schedule. This same config can be used for both Windows and Linux builds

Technical Specs and Queried Artifacts

Overview

Recon 2.1 Scanner supports 64-bit versions of Windows Server 2008 R2 and newer (Windows 2008 is not supported). Linux builds require at least a Linux kernel version of 2.6.32, as well as a glibc version of 2.12.0. Supported versions include, but is not limited to, Ubuntu, Debian, RedHat, AlmaLinux, RockyLinux, Arch, CentOS and Fedora.

Scanner will update itself daily before kicking off a scan. To ensure Scanner has access to auto-update, you may need to allowlist certain domains. Please refer to the Troubleshooting section Firewall Allowlisting for more information.

Queried Artifacts

Scanner will query various parts of an operating system to gather information. Below is a list of artifacts Scanner will analyze:

  • Windows Registry
  • Windows and Veeam event logs
  • File system
  • Networking/processes
  • System information
  • Services
  • Software
  • Browser history

Although Scanner does not have direct access to user file content, it is possible that potential PII or sensitive information can be collected during the scan. Below is a list of when this could be possible:

  • Filenames or folder names that contain PII in the name will potentially be collected if they are within the scope of queried artifacts.
  • File contents will not be collected, except for specific event log details.
  • Shell history and command line arguments may be collected.
  • IP addresses, hostnames, and usernames will be collected.
  • Browser history (domain only) will be collected.

Resource Usage

  • Scanner’s resource usage is normally under 5% of CPU but may spike to 10% depending on the amount of event logs on the system.
  • Execution normally completes in under one minute.
  • Once the scan is complete, logs are encrypted and will automatically be uploaded to Coveware. The data is encrypted at rest and in transit. Any local data on the host that was scanned will automatically be deleted once upload is complete.

Windows Execution Instructions

Some antivirus/EDR solutions may attempt to quarantine Scanner. It is recommended the following dependencies are allowlisted prior to deployment:

  1. The working directory where you placed recon.exe
  2. recon.exe
  3. config.dat

To run on a Windows host, follow these steps:

  1. Download or copy the recon.exe binary and config.dat files onto a host you’d like to scan. It is important that these two files remain in the same directory.

    Coveware recommends creating a folder called ReconScanner and keeping the binary and config file in this directory going forward.

  2. Right-click recon.exe and select Run As Administrator. This will open the console. Ensure Setup Recon is selected and hit [Enter] to execute.

  3. If at any point Scanner needs to be removed, open recon.exe again and select Remove scheduled task.

If the Recon Scanner is not run as Administrator, no scheduled task will be created. Scanner will still function and upload results to Coveware, but it will not be a persistent daily scan.

If you delete or move the recon.exe or config.dat files, the scheduled task will no longer work. You will then need to rerun the Setup Recon process in step 2.

Linux Execution Instructions

Some antivirus/EDR solutions may attempt to quarantine Scanner. It is recommended the following dependencies are allowlisted prior to deployment:

  1. The working directory where you placed recon
  2. recon
  3. config.dat

To run on a Linux host, follow these steps:

  1. Download or copy the recon binary and config.dat files onto a host you’d like to scan. It is important that these two files remain in the same directory.

    Coveware recommends creating a folder called ReconScanner and keeping the binary and config file in this directory going forward.

  2. Open Terminal, change directories to where the Scanner binary is and give it execute permissions: chmod +x recon
  3. Run Scanner with elevated privileges: sudo ./recon
  4. Click on Set up Recon to execute.

  5. If at any point Scanner needs to be removed, run sudo ./recon and select Remove scheduled task.

If the Recon Scanner is not run with elevated privileges, no scheduled task will be created. Scanner will still function and upload results to Coveware, but it will not be a persistent daily scan.

If you delete or move the recon or config.dat files, the scheduled task will no longer work. You will then need to rerun the Setup Recon process in step 4.

Troubleshooting

SignatureDoesNotMatch

If you get the error below when the Scanner upload occurs, it means your system time is not synced. Ensure that the host system clock that made the upload request is synchronized with an NTP server, or that the time/time zone is set accurately.

[ERROR] make AWS session: authentication failed: SignatureDoesNotMatch: Signature not yet current: 20230218T050929Z is still later than 20230218T022448Z (20230218T020948Z + 15 min.) status code: 403

EDR/Antivirus Allowlisting

Some antivirus software will quarantine the dependencies of Scanner. If this occurs, we recommend that, prior to deployment, you allowlist the following:

  1. The directory where you placed recon.exe for Windows or recon, for Linux hosts.
  2. recon.exe
  3. recon
  4. config.dat

Firewall Allowlisting

Recon Scanner will auto-update itself and auto-upload results to Coveware by Veeam. If you have strict outbound firewall rules, you may need to allowlist certain outbound connections. Please refer to the FAQ section of the Coveware Portal (found under Download Recon) for more details.

Update Status Errors

When running Recon Scanner, the following error status’ may appear during the Updates check.

  1. Updates could not be checked due to a connection error. Check the internet connection and make sure that the required firewall rules have been added.
  2. Updates could not be checked due to a server refusing authorization. Aborting. The configuration’s token may have been revoked. Please contact Coveware’s Scanner Support if seeing this error.
  3. Updates could not be checked due to a server error. Please contact Coveware’s Scanner Support if seeing this error.
  4. Updates could not be checked due to an unknown error. Please contact Coveware’s Scanner Support if seeing this error.

Proxy Settings

Recon Scanner uses a standard system environment variable for proxy settings for HTTPS connections (HTTPS_PROXY). If this variable is set, Recon will use specified proxy settings for web requests. Setting an environment variable is optional. If one is not set, Recon will make direct web requests without a proxy. If the variable or proxy is misconfigured, then there may be issues uploading Recon results.

To define a HTTPS_PROXY environment variable in Windows, follow the steps below:

  1. Open the Start Menu and search for environment variable. Click on the option for Edit the system environment variables, which will open up System Properties.
  2. Select Environment Variables on the bottom right.
  3. The next section will allow you to add either a User variable or a System variable. System variables are global, so may be the better option.
  4. Click New under the System Variables section.
  5. Set the Variable name to HTTPS_PROXY
  6. Set the Variable value as https://username:password@proxy.example.com:port or if authentication is not required, use https://proxy.example.com:port
  7. Click OK and then OK again to apply the changes
  8. You may need to log off and back in for the changes to apply.

Log Files

Each run of Recon Scanner will produce triage output files in the working directory from which the tool was run. The directory name will be in the format %HOSTNAME%-%TIMESTAMP%, E.G VBRSRV-123abc-1710444882. These files contain forensic artifacts for each scanned host. They are encrypted for security and integrity and will automatically be uploaded to Coveware for processing. Once upload is complete, log files will automatically get deleted.

Frequently Asked Questions

Who is Coveware?

Coveware is a leading incident response firm specializing in cyber extortion cases. Coveware helps victims recover their data with a focus on transparency, efficiency, and integrity. Leveraging world-class experts, patent-pending technology, and extensive experience from handling thousands of cases, Coveware provides clients with accurate forecasting, negotiation and settlement services, optimizing outcomes and accelerating the recovery process. Coveware was acquired by Veeam in April 2024.

How does Recon Scanner work?

Recon Scanner collects various forensic artifacts on the hosts it’s run on. The data is then encrypted and transmitted to Coveware for analysis. The scanned data will automatically be processed to identify suspicious activity based on thousands of ransomware incidents and categorizes findings on a scale from Low to Critical. A summary of findings is emailed out, and you can log into the Coveware portal to see more details, along with a timeline of the events.

What can Recon Scanner find?

Recon Scanner can identify unexpected network connections, unusual user behavior, suspicious file activity, data exfiltration attempts, and potential brute force attacks.

How long does Recon Scanner take to set up?

Setup can be completed within 5 minutes. When complete, Scanner will perform its first scan and will automatically run daily.

Do I have to adjust any firewall rules?

Recon Scanner will auto-update and auto-upload results to Coveware daily. If you have strict outbound firewall rules, you may need to allowlist specific ports or URLs/IP addresses. Please refer to the FAQ section on Coveware’s portal to access the specific details for allowlisting.

How is Recon different from my AV/EDR solution?

Recon Scanner is designed to complement your currently existing security solutions, not replace them. Scanner enhances your team’s ability to surface potential threats and perform analysis in-house, providing actionable insights alongside any EDR or external security resources. Here’s what sets Recon Scanner apart from an EDR solution:

  • Lightweight footprint: Recon Scanner uses less resources than EDR and requires less set up or configuration, making it easier to run in production environments with minimal system impact.
  • Historical visibility: Unlike EDR tools that focus on real-time onitoring, Scanner provides a retrospective view of host activity. This helps uncover signs of an intrusion that may have preceded active monitoring or fallen outside default data retention periods.
  • Purpose-built for VBR: Scanner is pre-configured to detect behavior specific to Veeam Backup & Replication (VBR) environments. Traditional EDR solutions may require manual setup or additional integrations to parse Veeam logs effectively.
  • Automatic IOC updates: Coveware’s threat intelligence is updated in real time. When new indicators of compromise (IOC) are identified in real-world incidents, the detection library is updated and applied to all future scans without manual updates.
  • No interface with backup systems: EDR tools can sometimes conflict with VBR, causing system disruptions. Scanner is designed to avoid these conflicts and requires minimal setup, with fewer exclusions needed to run in a backup environment.
  • Detection beyond malware: Some threat actors use legitimate tools already present in an environment to avoid detection. EDR tools may overlook these actions if they’re configured to ignore “expected” behavior. Scanner helps close that gap by analyzing activity in context, not just based on known malware signatures.

Where is my data uploaded? Is it secure?

All data is stored and transmitted in an encrypted format to a secure location in AWS S3 - US East Region. Coveware has a SOC2 Type 1 certification which highlights our commitment to security.

Does Recon Scanner look across the network or my backup data?

No. Recon Scanner does not scan backup data and only collects activity from the servers that it runs on.

How do I keep up with versions of Recon Scanner?

Recon Scanner includes auto-update functionality. Before each scan, Scanner will check for a new version and download it if there is one. If you use strict outbound rules, please refer to the FAQ section on Coveware’s portal to access the specific details for allowlisting.

What happens if Recon Scanner finds suspicious activity?

If you’re alerted to or observe events that you cannot rule out as legitimate activity and believe them to be malicious, please contact your security teams to help determine next steps. Veeam tech support will be available for issues related to the download and execution of Recon, but cannot provide security guidance around forensic results.

Can I see a demo?

A demo can be found here.

What’s New

v2.1 Release (March 2025)

  • Expanded Coverage: Scanner can be installed on up to 5 servers within VDP, including backup repositories, proxies, gateways, and Active Directory servers.
  • Linux Support: It’s now compatible with all modern Linux distributions, making for easier installation and support.
  • Enhanced Features: User access management, email notification settings, a new endpoint overview page, direct proxy access, and more.

Disclaimer:
Coveware Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of this content, or for the performance of any computer, hardware or software used or modified in conjunction with this content. The content is provided on an “as is” basis. Coveware PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall Coveware Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the content even if advised of the possibility of such damages.

View all results across Veeam
Back to document search