Performing YARA Scan
To perform the YARA scan during the restore session, do the following at the Secure Restore step of the restore wizard:
- Enable the Scan the restore point with the following YARA rule option.
- Place the YARA file with the .yara or .yar extension in the /var/lib/veeam/yara_rules/ directory. You can add the file through the File view in the Veeam Backup & Replication console.
For more information on how to create a YARA rule, see YARA documentation.
- Specify the behavior scenario if malware activity is found. For more information about available options, see the following sections:
- VMware vSphere:
- Secure Restore settings for Instant Recovery to VMware vSphere
- Secure Restore settings for Instant Disk Recovery
- Secure Restore settings for Entire VM Restore
- Secure Restore settings for Virtual Disk Restore
- Microsoft Hyper-V:
- Secure Restore settings for Instant Recovery to Microsoft Hyper-V
- Secure Restore settings for Entire VM Restore
- Secure Restore settings for Disk Export
- Secure Restore settings for Restore to Microsoft Azure
- Secure Restore settings for Restore to Amazon EC2
- Secure Restore settings for Restore to Google Compute Engine
- If you want to continue the YARA scan after the first malware is found, select the Continue scanning all remaining files after the first occurrence check box.
Note that if the YARA rule is not found, Veeam Backup & Replication will display a warning. In that case, to pass the step with secure restore settings, you can do one of the following:
- Make sure that the YARA file is located in the required directory, has the proper syntax and the .yara or .yar extension.
- Clear the Scan the restore point with the following YARA rule option.
- Use Veeam Threat Hunter or third-party antivirus sofware. For more information, see Veeam Threat Hunter for Secure Restore and Antivirus Scan for Secure Restore.