-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDRMM-VeeamMalware.ps1
86 lines (78 loc) · 2.87 KB
/
DRMM-VeeamMalware.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
function write-DRMMAlert ($message) {
write-host '<-Start Result->'
write-host "Alert=$message"
write-host '<-End Result->'
}
function write-DRMMStatus ($message) {
write-host '<-Start Result->'
write-host "STATUS=$message"
write-host '<-End Result->'
}
function Write-DRMMDiagnostic ($message) {
write-host '<-Start Diagnostic->'
write-host $message
write-host '<-End Diagnostic->'
}
# Get DRMM variables and set variables
$alertLevel = $ENV:AlertLevel
$verbose = $ENV:Verbose
$drmmOutput = @()
# If verbose enabled, start logging
if ($verbose -eq "True"){
$timestamp = Get-Date -Format o | ForEach-Object { $_ -replace ":", "." }
Start-Transcript -Path "C:\ProgramData\CentraStage\Temp\Veeam_Malware_$timestamp.txt" -Force
}
# Import require Powershell module
# Veeam.Backup.PowerShell
if (-not(Get-Module -ListAvailable -Name "Veeam.Backup.PowerShell")) {
if (Get-Item "C:\Program Files\Veeam\Backup and Replication\Console\Veeam.Backup.PowerShell\Veeam.Backup.PowerShell.psd1") {
Import-Module -Name "C:\Program Files\Veeam\Backup and Replication\Console\Veeam.Backup.PowerShell\Veeam.Backup.PowerShell.psd1"
} else {
Write-Host "Veeam PowerShell module not present and could not be found at the default location"
Write-DRMMAlert "BAD | Missing PowerShell module"
if ($verbose -eq "True") {
Write-Host $(Get-Module -ListAvailable -Name Veeam*)
}
Exit 1
}
} else {
Import-Module "Veeam.Backup.PowerShell"
}
# Get Veeam restore points
Try {
$points = Get-VBRObjectRestorePoint | Select-Object Name,CreationDate,Status | Sort-Object CreationDate
if ($verbose -eq "True") {
Write-Host "$($points.Count) restore points found"
}
# Examine them for malware status
foreach ($point in $points) {
if ($verbose -eq "True") {
Write-Host "Checked $($point.Name) - $($point.CreationDate) - $($point.Status)"
}
switch($point.Status) {
"Suspicious" {
$suspicious = $true
$drmmOutput += "? $($point.CreationDate) - $($point.Name) - SUSPICIOUS`n"
}
"Infected" {
$infected = $true
$drmmOutput += "! $($point.CreationDate) - $($point.Name) - INFECTED`n"
}
}
}
if ($infected -eq $true -and $alertLevel -ne "Suspicious") {
write-DRMMAlert "BAD | VEEAM REPORTING INFECTED RESTORE POINTS"
Write-DRMMDiagnostic $drmmOutput
Exit 1
} elseif ($suspicious -eq $true -and $alertlevel -ne "Infected"){
Write-DRMMAlert "BAD | Veeam reporting suspicious restore points"
Write-DRMMDiagnostic $drmmOutput
Exit 1
} else {
Write-DRMMStatus "OK | No malware found"
}
} catch {
Write-DRMMAlert "BAD | Script failed - enable verbose mode and check output"
Write-Host $_
Exit 1
}