Veritas NetBackup introduced malware scanning for backups a few versions ago, which has since matured. Some competitors refer to it as threat hunting or threat analysis. This blog explores the potential risks of those who search for threats inadvertently becoming targets themselves.
At a high level, this process involves scanning backups of hosts and data repositories for malware or ransomware rather than scanning in the production environment. Initially, it may seem straightforward, but the complexity arises when examining how backup software conducts malware scanning.
Different backup vendors have adopted varying strategies for malware scanning of backups.
Each of these strategies must consider the potential security risks and how to both protect the data and how to protect the environment.
Security from the direction of the scanning software: When it comes to security in scanning software, whether it searches for various indicators of compromise (IOCs), such as signatures of known bad files within the product, or relies on a trusted third-party security scanning tool to do similar search or matching, malware scanning is a critical consideration. The design and implementation of this process must always remember that the files being assessed may not be harmless; they are being evaluated to detect potential malware.
To draw an analogy, this is not like a casual gathering at a family wedding, where you warmly welcome guests you already met. Instead, it's more akin to airport security, where security personnel treat everyone as a potential security concern. They don't conduct screenings in a haphazard manner. Instead, they ask you to empty your pockets, remove jackets and shoes, and raise your hands to ensure the safety of everyone during the scan. Any possible weapons in the carry-on luggage are not accessible to the commuter during the safety scan. The carry-on luggage gets scanned separately without any potential chance of being used for any harm.
Similarly, regardless of the method used for potential malware scanning, it must be executed with great care. The scanning session should be isolated, ensuring that other users who can log into the scanning host cannot see or access the files being scanned for potential malware. Even if the same user initiates another session, that session should not have access to the files under scrutiny for potential malware. This isolation is crucial for maintaining the security and integrity of the scanning process.
Security from the direction of the backup image exposure:
Let’s look at three alternatives for exposing backup images for malware scanning. There are a few important considerations to keep in mind.
Operating System and mounting method: Compared to the first two areas of consideration, this one is relatively straightforward. Share type choices are NFS and SMB. Window and Linux (RHEL, SLES) scan hosts are the choices of OS for a VM or server which can scan both the share types. Linux scan host with NFS share type and Windows with SMB share type may be most common.
This covers the various combinations considered while offering malware scans of backups. It is important to try and cover all these combinations in every way possible.
What is the secure way to do it and how Veritas NetBackup solves for above considerations?
To enhance the security of NetBackup's malware scans, there are several behind-the-scenes measures in place. One crucial element is the VPFS, or, Veritas Provisioning File System, which acts like a pseudo file system using the backup images from NetBackup as its foundation. VPFS also helps in supporting the browsing functionality on block or object storage used for storing backups. Many other vendors only support backups stored on block-based storage for such instant browsing.
This “virtual” file system exposes a view of an image without allowing the end user, or the scan process to change the original files. It is more like a “copy on write” snapshot in many ways, but it isn’t a full recovery, so you don’t have to move it across the network. Some index engines require making a fully rehydrated copy, thus either slowing the speed of the scans, or, requiring costly resource additions.
The best approach to malware scanning lives in answers for two simple questions.
Think of it as conducting a virus test in a controlled laboratory environment requiring extreme caution. Malware scanning is no different. The key distinction is that we can't perform a secure scan on production data because we can't make any alterations there, even at the presentation layer. By conducting the scan on the backup data, we gain the flexibility needed for thorough and secure malware scanning. As a result, for restore time scan, one could restore files with just the read permissions for the scan and apply original permissions after the scan.
You have learnt the ingredients of a secure malware scanning of backup images.
Intrigued? Join our Veritas REDLab group to see such unique topics discussed. Don’t worry, it is free and easy to join. Sign up on vox.veritas.com, and then go to this group URL and join. https://vox.veritas.com/t5/Veritas-REDLab/gh-p/VeritasREDLab
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.