Forum Discussion

John_Grovender's avatar
2 months ago

NetBackup 10.5 Automatic Malware Scanning of Malware-Tagged Imported Images

One of the biggest challenges for malware scanning of backup images is deciding if and when to commit the resources to do it. Many data protection domains simply don’t have enough resources to scan every image. Plus, only images to be restored really need to be scanned. I wrote a paper on these issues here:

The Smart Use of Malware Scanning in NetBackup

In enterprise data protection there’s another situation that complicates things even further - malware hopping domains through backup images. The danger that image replications/duplications could spread malware during restores. That’s a potential disaster with DR and Independent Recovery Environments (IREs). Release 10.5 solves this with a new feature that provides automated malware scans based on backup time anomaly detection. If an image gets tagged as probably infected in a production domain, it can be automatically scanned after importation into a secondary, DR, or IRE domain. This feature works as follows:

  • Activate automated scanning on a second domain using current local automated malware settings
  • Scan imported images on the secondary domain based on user-defined configuration parameters. These parameters are the ones already available for automatic scanning on a primary server before the 10.5 release.

Once an image gets replicated to a secondary domain, the secondary domain’s current automated scan schedule is modified to find imported images matching user-defined criteria. This criterion includes images with a probable infection score of 10 or higher by default. Once these images are identified, the rest of the configured automated malware scanning workflow gets triggered.

NOTE: Source domain anomaly detection takes a maximum of fifteen minutes after the original backup is completed. If during this time an image gets replicated to a secondary target domain, there are no anomaly tags on that image for criteria matching. Such images without malware tagging do not active this feature on the secondary domain. Plan the use of this feature accordingly.

Anomaly_config.conf Configuration

The first half of activating this new feature is performing these general secondary primary server steps. The second half of activation is configuring malware scanning in the WebUI:

1. Copy the anomaly_config.conf.template file on the secondary primary server to anomaly_config.conf if this has not already been done.

2. Review the configuration file’s contents. Explanations for all setting options are stored as comments in this file.

3. Activate the configuration option ENABLE_SCAN_FOR_IMPORTED_COPY as per the comment instructions in that file.

4. If desired, configure any other scanning settings related to client, scan host pool, severity, and detection scores common to the ENABLE_SCAN_FOR_IMPORTED_COPY and ENABLE_AUTOMATED_SCAN options.

5. Add the new configuration setting lines to the end of the file after the commented lines.

6. Update your server config documentation to include the above steps.

Here’s an example of what the last lines of a modified anomaly_config.conf file might look like after activating the malware import scanning feature:

[AUTOMATED_MALWARE_SCAN_SETTINGS]
ENABLE_SCAN_FOR_IMPORTED_COPY=1
TRIGGER_SCAN_FOR_MEDIUM_SEVERITY=0
TRIGGER_SCAN_FOR_SCORE_GREATER_THAN=2.5
SCAN_HOST_POOL_NAME=main-scanhost-pool
ENABLE_ALL_CLIENTS=0
NUM_CLIENTS_BATCH_SPECIFIED=1
ENABLE_SCAN_ON_SPECIFIC_CLIENT_1=someclient.someplace.somewhere.com

NOTE: The TRIGGER_SCAN_FOR_RANSOMWARE_EXT_IMAGES setting is not supported for imported images, it’s only for locally created images.

WebUI Configuration

Once the above is completed, the rest of the automatic import scanning is configured through the WebUI as shown below.

1. If it’s not already done, install, configure, and test the source NetBackup primary server that will be replicating images to the target (DR, IRE, etc.) primary server.

2. Perform the following on the target secondary domain as shown below. Go to Detection and Reporting -> Anomaly detection -> Anomaly detection settings -> Backup anomaly detection settings. Edit the Backup anomaly detection settings to Enable automatic scan for imported copy as shown here. Note the informational notice callout (highlighted in blue) for the anomaly_config.conf file. If this file has not been modified as discussed earlier, editing the imported copy settings has no effect.

3. Make all other needed scanning configuration settings. The most commonly modified ones are used by both imported and locally made backup images of a domain (severity, pool score, ransomware extension, etc.). Notify your Security Team of the choices you select so they know what protections you put in place.

4. When anomalies are detected in imported backups, use the logging below on the secondary primary server verify that malware scanning is triggered for these imported anomalies.

Log

Location on Red Hat Linux

Location on Windows

nbwebservice

/usr/openv/logs/nbwebservice/

C:\Program Files\Veritas\NetBackup\logs\nbwebservice

nbanomalymgmt

/usr/openv/netbackup/logs/nbanomalymgmt/

C:\Program Files\Veritas\NetBackup\logs\nbanomalymgmt

Update your server config documentation to include the above steps and administrative monitoring procedures.

No RepliesBe the first to reply