Showing results for 
Search instead for 
Did you mean: 

Defining Malicious Behavior on NBU

Level 0

Hi Admins, hope everyone's well.

Student coming from the side of security, currently working on a project with Veritas NetBackup. I'm designing some indicators to alert on malicious behavior in the context of the SW [Using Endpoint Detection and Response]. I was thinking to share with you some ideas that I have thought about implementing and I would be really appreciated if you could challenge/ give feedback on them. Your knowledge of what constitutes normal behavior and what isn't is crucial for me. So here are the ideas (if you have some by any means pls share)_

#1 - Deletion of images from the image catalog

#2 - Deletion of media entries from the EMM Database

#3 - Deletion/Tampering with NBDB configuration files

#4 - Deletion of SRTs from the Boot Servers (BMR) (maybe boot images also?)

#5 - Modification of Retention Levels

#6 - Setting expiration dates of backup images to expire immediately or near future

#7 - Mass freeze media

#8 - Stoppage of Critical Services/Daemons

For example: #1 images in the catalog are usually cleaned up automatically by a service and rarely deleted by an admin. Since the majority of it is done automatically, normal behavior would easy to exclude. An attacker deleting in bulk would be alerted and stopped. Other example: #5 I don't know how often admins change their Retention Levels, but changing them in away that backups would expire immediately would be very suspicious right? This is the kind of reasoning Im approaching the problem with. 

I tried designing these taking into account if it's something a NBU admin does regularly, and also trying to distinguish it by if it's automatic or if it's manual work. But ultimately I would love your input.



There have been times when I get requests to extend expiration of images, and when those extensions end, I recalculate the images, which expires the images. You might want to add an ability to detect the recalculation option, since for example, if I have images that normally expire in a month and I manually set them to expire in a year, a few months later a recalculation would set the expiration in the past, and they would be cleaned up during the next normal cleanup.

Having said that, I know I do make changes to slp config files every day.

Also, with a disk storage unit, there are times when space becomes an issue, it is not abnormal to change retention and expire data there to save space.


This does seem like a beneficial thing to provide, surprised Veritas does not already have something



NetBackup on Solaris 11, writing to Data Domain 9800
duplicating via SLP to LTO5 & LTO8 in SL8500 via ACSLS