Detection
Malware Detection
Distinction between Antivirus Plugin and Malware
In an Antivirus Check, Bacula will transmit the files to the ClamAV Antivirus Socket, which will perform the scan and report to Bacula if any viruses are discovered. In the instance of Malware, Bacula will retrieve the Malware database signatures from https://abuse.ch/ and then do a file verification with those signatures. If a Backup job finds malware in the backup content, an error message is generated and the Job status is changed.
Bacula allows you to configure your jobs to detect known Malware. The detection can be done at the end of the Backup job and/or with a Verify job.
The Job directive Check Malware = yes/No can control the behavior.
Job {
Name = MyBackup
Check Malware = yes
FileSet = FullSet
JobDefs = Default
}
FileSet {
Name = FullSet
Include {
Options {
Signature = md5
}
File = /home
}
}
The FileSet of the Backup Job must use the Signature = MD5 or Signature =
SHA256 option to use the Check Malware directive.
By default, the Malware database is fetched from abuse.ch. If needed, it
can be adapted with the Director MalwareDatabaseCommand directive.
If a Backup job detects a malware in the backup content, an error is reported and the Job status is adapted.
20-Sep 12:26 zog8-dir JobId 9: Start Backup JobId 9, Job=backup.2022-09-20_12.26.30_13
...
20-Sep 12:26 zog8-dir JobId 9: [DI0002] Checking file metadata for Malwares
20-Sep 12:26 zog8-dir JobId 9: Error: [DE0007] Found Malware(s) on JobIds 9
Build OS: x86_64-pc-linux-gnu archlinux
JobId: 9
Job: backup.2022-09-20_12.26.30_13
Backup Level: Full
...
Last Volume Bytes: 659,912,644 (659.9 MB)
Non-fatal FD errors: 1
SD Errors: 0
FD termination status: OK
SD termination status: OK
Termination: Backup OK -- with warnings
The list of the Malware detected in a given Job can be displayed with the ``list files type=malware``
command.
*list files type=malware jobid=1
+-------+-----------------------------+---------------+----------+
| jobid | filename | description | source |
+-------+-----------------------------+---------------+----------+
| 1 | /tmp/regress/build/po/fr.po | Malware found | abuse.ch |
+-------+-----------------------------+---------------+----------+
A Verify Job with the level VolumeToCatalog or Data can be configured
with the Check Malware=yes directive to report malware in addition to
standard errors detected by the Verify Job feature.
*run job=VerifyVolCat jobid=1 yes
Job queued. JobId=7
*wait
You have messages.
*messages
20-Sep 12:26 zog8-dir JobId 7: Verifying against JobId=1 Job=backup.2022-09-20_12.25.48_03
20-Sep 12:26 zog8-dir JobId 7: [DI0002] Checking file metadata for Malwares
20-Sep 12:26 zog8-dir JobId 7: Error: [DE0007] Found Malware(s) on JobIds 1
20-Sep 12:26 zog8-sd JobId 7: Ready to read from volume "TestVolume001" on File device "FileChgr1-Dev1" (/tmp/regress/tmp).
20-Sep 12:26 zog8-sd JobId 7: Forward spacing Volume "TestVolume001" to addr=216
20-Sep 12:26 zog8-sd JobId 7: Elapsed time=00:00:01, Transfer rate=94.08 M Bytes/second
20-Sep 12:26 zog8-dir JobId 7: Bacula zog8-dir 14.1.1 (12Aug22):
Build OS: x86_64-pc-linux-gnu archlinux
JobId: 7
Job: VerifyVolCat.2022-09-20_12.26.14_09
FileSet: Full Set
Verify Level: VolumeToCatalog
Client: zog8-fd
Verify JobId: 1
Verify Job:
Start time: 20-Sep-2022 12:26:16
End time: 20-Sep-2022 12:26:25
Elapsed time: 9 secs
Accurate: yes
Files Expected: 3,640
Files Examined: 3,640
Non-fatal FD errors: 1
SD Errors: 0
FD termination status: OK
SD termination status: OK
Termination: Verify OK -- with warnings
Go back to the Bacula Enterprise Security and Threat Analysis chapter.