Veeam introduced feature called "Secure Restore", with version 9.5 Update 4 of Backup & Replication, that was released on January 2019.
It allows you to scan machine data with antivirus software before restoring it to the production environment. And you can also use this when testing your backups with Sure Backup.
You can integrate basically any AV software with Veeam, as long as your AV supports command-line scanning.
How Secure Restore works, and how to integrate AV software, is documented here: https://helpcenter.veeam.com/docs/backup/vsphere/av_scan_about.html?ver=95u4
But I wanted to test how it's actually done. So I got my a self a trial version of F-Secure Server Protection. It's part of their cloud managed "Protection Service for Business", aka. PSB.
I installed that AV product to one of my Backup Repository servers, that also acts as a mount server.
To configure Veeam integration, I need to modify AntivirusInfos.xml file, that is located under "%ProgramFiles%\Common Files\Veeam\Backup and Replication\Mount Service" folder.
After reading documentation, I knew that I need at least path to AV scanner, required command line parameter(s), exit codes and a string that is shown when infection is found.
First, I started to figure out that how command line scanning works. I found out, that there is a fsscan.exe, located in "C:\Program Files (x86)\F-Secure\PSB\" directory. When you run it, it show's you command line parameters.
With this, I knew that I need to use --target parameter, to specify what to scan.
For exit codes, I found this page: https://community.f-secure.com/t5/Business-Suite/On-demand-scanner-fsav-exit/ta-p/20254 that shows exit codes for fsav.exe, but I did not find anything for fsscan.exe. But since fsav.exe is old name for fsscan.exe, I decided to test if those exit codes still work.
I then downloaded EICAR test file, to test what happens when I manually run command line scan. (It's a bit tricky to download these days, you have to disable all your AV protection to be able to download it).
First I tested scanning with folder that had no infected files in it, to see how it looks.
After that, I copied EICAR test file to couple of folders, among with other clean files and run a test again.
When comparing clean and infected results, I searched for a unique string that I can use to detect when infection is found. That string seems to be "Infections found.", with a dot (".").
So now I had a bare minimum information I needed to add to configuration XML file. Since I wanted to to this with minimum effort, I decided to use "IsPortableSoftware='true'" parameter, so I can leave "RegPath='' ServiceName=''" parameters empty.
I used these parameters:
AntivirusInfo Name='F-Secure Server Protection'
IsPortableSoftware='true'
ExecutableFilePath='C:\Program Files (x86)\F-Secure\PSB\fsscan.exe'
CommandLineParameters='--target %Path%'
RegPath=''
ServiceName=''
ThreatExistsRegEx='Infections\s+found\.'
IsParallelScanAvailable='false'
And also added ExitCodes, which you can see from full code snip.
My addition to XML files looks like this:
<AntivirusInfo Name='F-Secure Server Protection' IsPortableSoftware='true' ExecutableFilePath='C:\Program Files (x86)\F-Secure\PSB\fsscan.exe' CommandLineParameters='--target %Path%' RegPath='' ServiceName='' ThreatExistsRegEx='Infections\s+found\.' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
<ExitCode Type='Error' Description='Fatal error; unrecoverable error.'>1</ExitCode>
<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
<ExitCode Type='Infected' Description='Riskware (potential spyware) found'>4</ExitCode>
<ExitCode Type='Warning' Description='Suspicious files found; these are not necessarily infected by a virus'>8</ExitCode>
<ExitCode Type='Error' Description='Scan error, at least one file scan failed'>9</ExitCode>
</ExitCodes>
</AntivirusInfo>
After adding those lines to my AntivirusInfos.xml, I started doing some tests.
I created some dummy virtual machines, one with EICAR test file, one with "Potentially Unwanted Application" test file from AMTSO, and one clean machine. All those machines are dummy machines with no operating system, there is only a 4GB disk in each of those machines with some random files in there.
To test, I started full VM recovery for all of those three test machines. Only thing I need to do while restoring, is to check Secure Restore option:
I set it to abort restoring, if infection is found. With both F-Secure and Microsoft Defender, they do not report you about found infections during AV scan with a string that could be parsed, so it always does a full scan, so "Scan entire image" check box does not have effect with those two AV scanners.
And how does it look like? With a clean machine, it looks like this:
But with infected machines, it looks different. Both EICAR and "Potentially Unwanted Application" are detected:
I was expecting that with "Potentially Unwanted Application", F-Secure would have used Exit Code 4, but it seems to detect it as an infection instead of riskware.
I also tested those same machines with Microsoft Defender. I expected to get same results, but I did not! With clean machine, and machine with EICAR test file, results were the same, but with "Potentially Unwanted Application", Microsoft Defender did not detect anything harmful! I'm not sure if this is some setting error in my servers MS Defender or not, but quite a worrying anyways. To be sure, I actually tested it with two different servers, and with same results.
As a last thing, I wanted to see if there is any performance difference between F-Secure Server Protection and Windows Defender.
So I restored a real Windows 10 machine, that has some EICAR files in it.
With F-Secure Server Protection, it lasted about 10 minutes:
And with Windows Defender, it lasted a bit over 20 minutes:
So, actually quite a big difference.
As you can see, it's really easy to integrate you AV scanner to be used with Secure Restore functionality in Veeam Backup & Replication!
