Link Search Menu Expand Document

Scan assets for ransomware and malware exposure

Table of Contents

Elastio helps defend your data from ransomware and malware attacks by detecting ransomware, crypto miners, trojans and other malware hiding in backups. Our malware engine is updated daily with the latest known malware. It detects evidence of a ransomware attack in the recovery points with deterministic and statistical analysis against all files in the backup. Elastio protects against over 1,000 known ransomware.

Use Elastio Protection Policy to scan your assets

The Elastio Protection Policy provides you with three flexible options to guarantee the recoverability of your assets. Tailoring to your specific requirements, you have the choice to solely scan the assets, back them up and scan, or opt for the straightforward backup of assets.

For scenarios where a recovery point isn’t necessary, you can effortlessly follow this tutorial to ensure your assets undergo regular scanning at predefined intervals.

Proceed to the Policies page, press the “+New policy” button.

Figure 1: Add New Policy

Figure 1: Add New Policy

Add a name to your policy and define a schedule for it. Press “Next”.

Figure 2: Add policy schedule

Figure 2: Add policy schedule

Select “Scan with Elastio” option in the Scan option drop-down.

Set an integrity scan to run against the recovery point after every backup. You can choose to run a check for ransomware, malware or both.

Figure 3: Add New Policy - Integrity Scan

Figure 3: Add New Policy - Integrity Scan

Furthermore, you have the option to activate the EBS file system check.

When all required options are selected, complete policy creation following all the steps and saving it.

After the policy is run at least once, navigate to the Reports page to check the details for each ransomware and malware checks performed.

Figure 4: Reports page

Figure 4: Reports page

Click the Run Report button to see all Anti-Malware Scan Results.

Figure 5: Anti-Malware Scan Results

Figure 5: Anti-Malware Scan Results

By clicking on the recovery point ID you will be redirected to the Asset page that carries the details on the asset that has been backed up.

Figure 6: Recovery Point to Asset page

Figure 6: Recovery Point to Asset page

Expand the row with the scan by clicking the “+” button. Then by clicking on the asset ID proceed to the Malware and Ransomware Scan Results.

Figure 7: Scan Results

Figure 7: Scan Results

Integrate Elastio into an AWS Backup plan

When creating an AWS Backup plan, you can integrate Elastio into the backup flow by adding certain tags. Depending on the tag key-value pair, you will be able to enable ingest, scan or ingest + scan with Elastio for your AWS Backup recovery points. To do this, follow the instructions below.

Go to AWS Backups / Backup Plans, press the “Create backup plan” button.

Figure 8: Create AWS Backup plan

Figure 8: Create AWS Backup plan

Select a template, ot create a plan from scratch. When selecting a template, one or more Backup Rule(s) will appear in the dedicated section.

Figure 9: Backup Rules

Figure 9: Backup Rules

Press on a Backup Rule. Scroll down to the “Tags added to recovery points” section. Press the “Add new tag” button. Enter one of the following key - value pairs depending on your needs.

  • to scan resulting AWS recovery points with Elastio:

Key: elastio:action

Value: scan

Figure 10: AWS backup with scan by Elastio enabled

Figure 10: AWS backup with scan by Elastio enabled

  • to ingest AWS recovery points into Elastio:

Key: elastio:action

Value: ingest

  • to ingest and scan AWS recovery points with Elastio:

Key: elastio:action

Value: ingest-and-scan

Figure 11: AWS backup with ingest and scan by Elastio enabled

Figure 11: AWS backup with ingest and scan by Elastio enabled

Once you’ve specified the tags for all Backup Rules, where it’s needed, save the policy and add some assets into it. Elastio will pick up the AWS recovery points by tags automatically and process them depending on the tag value.

Scan your assets with Elastio CLI

The second way of checking recovery points for threats is to use the Elastio CLI iscan command.

Elastio Integrity Scan capability is available using the elastio iscan command within the Elastio CLI. It can be initiated like so:

elastio iscan

Elastio iScan is recommended to be used on Linux based machines. It can be run to check for either malware, ransomware or both. The default behavior is to check for both malware and ransomware. You can scan various AWS resources using Elastio iScan, such as AWS S3 buckets, AWS EBS snapshots, AWS AMIs, AWS EFS, local paths and Elastio recovery points. Note, that the latest version of elastio CLI needs to be installed in order to produce the best results. You will have to compete the placeholders with proper ID/name before you run the command.

Below, you can find example commands ro run Elastio iScan for different types of resources:

  • AWS AMI:
elastio iscan --ami <ami>
  • AWS EBS volume:
elastio iscan --ebs-volume-id <ebs-volume-id>
  • AWS EBS snapshot:
elastio iscan --ebs-snapshot <ebs-snapshot-id>
  • AWS EC2 instance:
elastio iscan --ec2-instance-id <ec2-instance-id>
  • AWS RP:
elastio iscan --aws-rp <aws-rp>
  • AWS EFS:
elastio iscan --efs-id <efs-id>

⚠️ Please, note: EFS mount points should be available in all availability zones, where Elastio vault is installed, for the scan to work correctly. Those can be configured at the time of EFS creation or by adding it at a later time. See example list of mount points below:

Figure 1: EFS mount points

  • AWS S3 bucket:
elastio iscan --s3-bucket <s3-bucket>

⚠️ Important! ⚠️ S3 object count, when exceeding certain limits, can negatively impact Elastio S3 scan performance. We do not recommend using the S3 scanning feature on buckets with more than 10 million objects. If you need to scan more than 10M objects in a bucket, please contact Elastio support for assistance.

  • an Elastio recovery point:
elastio iscan --rp <rp-id>
  • a local path:
elastio iscan --path <path>

to check a directory for malware only:

elastio iscan --malware-only <path>
  • a mount point:
elastio mount rp –rp dgwmvmc2eiqlrqmltrw4q8nk /dev/sda1:/mnt
elastio iscan /mnt

The output is presented on the screen and saved in a .gz file. This file contains the details of the scan.

Enable Threat Detection in a Protection Policy with backups enabled

Alternatively, you can use “Backup and scan option” to ensure backups as well as data integrity. Follow these steps to enable recovery point scanning after every scheduled backup.

Proceed to the Policies page, press the “+New policy” button.

Figure 1: Add New Policy

Figure 1: Add New Policy

Add a name to your policy and define a schedule for it.

Figure 2: Add policy schedule

Figure 2: Add policy schedule

Select “Scan and backup with Elastio” option in the Scan option drop-down.

Set an integrity scan to run against the recovery point after every backup. You can choose to run a check for ransomware, malware or both.

Figure 3: Add New Policy - Integrity Scan

Figure 3: Add New Policy - Integrity Scan

Furthermore, you have the option to activate the EBS file system check. When all required options are selected, complete policy creation following all the steps and saving it.

After the policy is run at least once, navigate to the Reports page to check the details for each ransomware and malware checks performed.

Figure 4: Reports page

Figure 4: Reports page

Click the Run Report button to see all Anti-Malware Scan Results.

Figure 5: Anti-Malware Scan Results

Figure 5: Anti-Malware Scan Results

By clicking on the recovery point ID you will be redirected to the Asset page that carries the details on the asset that has been backed up.

Figure 6: Recovery Point to Asset page

Figure 6: Recovery Point to Asset page

Expand the row with the scan by clicking the “+” button. Then by clicking on the asset ID proceed to the Malware and Ransomware Scan Results.

Figure 7: Scan Results

Figure 7: Scan Results