Veeam v12.1 what's new - pt.1


Veeam announced the new upcoming Veeam v12.1 version that provides several new amazing features and enhancements, mainly focused on security.

In this new version one of the most interesting new feature is perhaps the Inline Malware Detection that allows the administrators to ensure malware free backups during the execution of a Backup Job.


Blog Series

Veeam v12.1 what's new - pt.1
Veeam v12.1 what's new - pt.2


Veeam v12.1 what's new

Veeam v12.1 provides several new features with particular attention to security concern.


Inline Malware Detection

When an infrastructure suffers a malware intrusion, there are some scenarios that might occur by putting your data at risk:

  • A malware can enter the infrastructure and putting itself in a sleeping malware.
  • A malware can encrypt data in the network without deleting itself.
  • A malware can encrypt data and delete itself or remaining in memory.
  • Data can be encrypted remotely via SMB or NFS shares.

To protect backups from possible malware infections, Veeam Backup and Replication v11 already introduced the Secure Restore in SureBackup to allow the administrators to scan backups against malware before performing the recovery.

With Veeam v12.1 is now possible to analyzes block-level data during backup leveraging the new Inline Malware Detection feature. You can enable this feature from the menu Settings > Malware Detection.


During the backup operation, Veeam collects metadata and statistics and data are cross-correlated. Once the backup has been completed, malware metadata file is stored in the VBRcatalog and current and previous malware metadata are compared to identify possible unwanted changes.

Incremental backup size, encryption (absolute size and percent), compression, removed data and newly encrypted data are the values analyzed to identify if a backup is infected.

When the cross-correlation between current and historic values produces a high score of combined values, the backup is marked as suspicious.



Onion Links

The Inline Malware Detection feature is also able to analyze text documents and find onion links (generally composed by 56 symbols: [2-7] and [a-z] + .onion).

Onion links are links to websites on the dark web that use the .onion extension as top-level domain instead of  traditional .com, .net, .gov and so forth. Onion sites use The Onion Router (Tor) software to encrypt their connections and to make the communication anonymous. Identifiers such as location, ownership and so on, are also hidden.


The Inline Malware Detection is supported for the following systems:

  • VMware vSphere and Cloud Director, Hyper-V (Windows and Linux VMs)
  • Veeam Agents for Windows managed by Veeam Server (including cloud native)
  • NTFS, ext4 file systems


File Index scan

To detect if previously unencrypted data become encrypted in processed disk images (typical indicator of a ransomware attack), the In-Guest Index detection can be used to find encrypted files and malware binaries.

To activate this new feature, go to Settings > Malware Detection section and select the Enable inline entropy analysis and Enable file system activity analysis options from General tab.


To take benefit of this feature, you must enable the Enable guest file system indexing option in Guest Processing tab during the Backup Job configuration.


The In-Guest Index scan is supported for the following systems:

  • VMware vSphere & Cloud Director, Hyper-V (Windows and Linux VMs)
  • Managed and standalone Veeam Agent for Windows
  • All File Systems


YARA rules

For a deeper analysis to better detect possible malware infections, Veeam v12.1 leverages the YARA rules, fully customizable patterns used to identify targeted attacks and security threats.


Downloaded or custom YARA rules must be saved to C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules folder.



Automated malware and content scans

Antivirus and YARA scan can be automated via SureBackup without using Virtual Labs. This capability allows to scan entire Backup Jobs or specific machines.


Enable the Scan backup content with the following YARA rule option and specify the YARA rule to use. To perform the backup scan operation, Veeam uses the Mount Server.


Also the classic SureBackup with Virtual Lab can be configured to scan the backup content with YARA rules or antivirus.


Backups can be scanned on-demand by right clicking a specific backup and selecting the Scan backup option.


Specify the Scan mode e Scan engine to use and click OK.


The alert for malware detection is triggered by the following operations:

  • Inline scan
  • Guest-index scan
  • SureBackup (scheduled jobs, scan now)
  • Secure Restore
  • Incident API

To easily identify infected backups, suspicious backups are marked with a bug icon.


When a malware is detected, the warning can be viewed in History > Malware Detection or notified via email, Syslog, SNMP and Windows Event.

In case of false events, right click the backup and select Mark as clean to remove the alert associated to that VM in Inventory.


It is also possible to mark a backup as infected or clean by selecting the corrisponding option in Backups.



KMS support

To increase the security level in the Veeam infrastructure, Veeam v12.1 provides support for Key Management Servers (KMS). To configure the KMS Server, go to Settings > Credentials & Passwords and select Key Management Servers option.


Click Add and enter the KMS Server details then click OK.


This solution brings several advantages in terms of security:

  • Passwords can be changed automatically on regular basis avoiding the risk of having weak and old passwords used by Veeam.
  • To implement KMS, Veeam supports KMIP version 1.2+.

During the Backup Job configuration, administrators can now encrypt Backup Jobs with a higher level of security leveraging the KMS capability by entering the KMS FQDN instead of the password.


Currently Veeam v12.1 KMS feature is unsupported for the following workloads:

  • Managed by Agent policies
  • Standalone agents
  • Veeam Backup for AHV, RHV, AWS, Azure, Google
  • Configuration backup
  • Database plugins


Four-eyes authorization

To prevent backups deletion (accidental or unauthorized), it is now available in Veeam v12.1 the capability of requiring a second authorization before being able to execute the operation.

From Settings > Users & Roles select Authorization tab and enable the Require additional approval for sensitive operations option and specify the reject period.


When the four-eyes authorization feature is enabled in Veeam v12.1, you need a second approval by a Backup Administrator to perform the following tasks:

  • Deleting backups, repositories, storage snapshots, Veeam Cloud Service Provider
  • Disable four-eyes authentication
  • User and roles modification

When you try deleting a Backup for example, you need to create a deletion request that must be approved by another Backup Administrator.


The report for operations with second approval enabled can be found in Home (Pending approvals), Veeam History, Windows event logs or sent via email.


When using four-eyes authorization, keep in mind the following:

  • No deletion via PowerShell or REST API.
  • No deletion via Enterprise Manager (including Cloud Director portal).
  • Expired license: existing events can be handled, but no new ones created.


Integration with SIEM Systems

In Veeam v12.1 is now possible to centralize all the events by sending Veeam logs to Syslog systems using the standard protocols UDP, TCP, TLS and port.

Syslog can be configured from Settings > General Options > SIEM Integration. Under Syslog servers, click Add and specify the Server to use then click OK.



Security & Compliance Analyzer

The Best Practice Analyzer introduced with version 12 has been renamed and now offers additional features.


To run Security & Compliance Analyzer, the operation can be scheduled by accessing the Schedule Settings window.



Warning on short encryption passwords

Veeam v12.1 performs a check on passwords length (minimum 12 characters required) to avoid the use of passwords too shorts.

The system will analyze the password length only and not the complexity (in the example the password is 123456)


Part 2 will continue exploring the new available features in Veeam Backup & Replication v12.1, such as Immutability enhancements, Continuous Data Protection (CDP), SureBackup and many others.


Leave a Reply