Scanning backup images with YARA scanner
Use this topic to scan images with YARA scanner.
To scan images with YARA scanner
- On the left, click Detection and reporting > Malware detection.
- Click Scan for malware.
- In the Search by option, select Backup images.
- Select YARA scan as the scan type.
- Click the Select threat feeds option.
On the dialog box, select the required YARA rule files or
.zipfile and click Select. - In the search criteria, review and edit the following:
Policy name - Only supported policy types are listed.
Client name - Displays the clients that have backup images for a supported policy type.
Policy type - Displays all the supported policies that are enabled for YARA scanning.
Type of backup - Any incremental backup images that do not have the NetBackup Accelerator feature enabled are not supported for the VMware workload.
Copies - If the selected copy does not support instant access, then the backup image is skipped for the scan. (For NAS-Data-Protection policy type) Select the Copies as Copy 2.
Disk pool - MSDP (PureDisk), OST (for example, Data Domain) and AdvancedDisk storage type disk pools are listed.
Disk type - MSDP (PureDisk), OST (for example, Data Domain) and AdvancedDisk disk types are listed.
Infection status - The malware-infected status of the backup images can be searched based on the following types: infection detected by malware scan, file hash search, not infected, not scanned or all.
For the Select the timeframe of backups, verify the date and the time range or update it.
On selecting the Abort malware scan on detecting an infection option, clean recovery would not be supported for infected images.
- Click Search.
- Select the search criteria and ensure that the selected compute host is active and available.
- From the Select the backups to scan table select one or more images for scan.
- Click Scan for malware.
- After the scan is initiated, the Scan status is displayed.
The following are the status fields:
Not scanned
Not infected
Infected
Failed
Hover over the status to view the reason for the failed scan.
Note:
Any backup images that fail the validation are ignored. Scanning is supported for the backup images that are stored on storage with instant access capability and for the supported policy types only.
In progress
Pending
Note:
You can cancel the scan for one or more jobs that are in progress or are pending.
Infected - Scan aborted
You can view the YARA scanning jobs on the Activity monitor UI.