In our previous articles, we introduced how Veeam v13 continues to enhance its YARA malware scanning capabilities. However, the limitation of official rule sets is a very real challenge. There aren’t many free YARA rule sources available online, and high-quality ones are even scarcer. Today, I want to introduce you to a hidden gem: Ransomware.live - a professional open-source ransomware threat intelligence platform that provides free YARA rules for 62 major ransomware gangs, making it a perfect complement to Veeam’s YARA scanning functionality.

In version v13, malware detection capabilities have achieved a significant leap forward. Compared to the real-time detection capabilities already available in the v12 era, v13 has brought qualitative improvements in threat response mechanisms, platform coverage, and intelligence levels. In my previous articles, I’ve detailed the ransomware attack detection principles and configuration methods for v12. Today, building on that foundation, let’s explore the key upgrades that v13 brings.

v12 Detection Capabilities Review: The Separation of Detection and Response

In the v12 era, Veeam’s malware detection primarily relied on two mechanisms:

In version v13, the most significant new features focus on enhanced security capabilities. Starting with this article, I’ll provide a detailed walkthrough of the new security features introduced in v13 through practical applications.

Today, let’s start with authentication. In enterprise-level backup architectures, the security of management console accounts and access governance is critically important. Veeam Backup & Replication (VBR) now supports SAML-based Single Sign-On (SSO) in v13, which means you can centralize authentication to your organization’s existing Identity Provider (IdP) — such as Azure EntraID. Through SAML integration, you can unify the management of VBR login with your company’s account lifecycle, group policies, MFA, and auditing: operations become clearer, permission revocation is more timely, and you achieve higher compliance. This article uses Azure EntraID as an example to demonstrate this integration in detail. For other similar solutions like Authing in China or international options like Okta and Auth0, you can follow the Azure methods to try them out.

Recently, Veeam’s Chief Product Officer Anton Gostev published an FAQ on the R&D forums that clearly explains V13’s release schedule, deployment options, licensing, and migration strategy. For customers and partner engineers, this isn’t just “news” – it’s a practical guide that will influence decisions about “whether to upgrade immediately and how to plan migration paths.” This article uses that post as a starting point, combining it with official release information to analyze its actual impact on users of different scales, and provides actionable recommendations.

In Veeam v13, not only did they make the backup server into a pre-hardened Software Appliance, but they also introduced the Veeam Infrastructure Appliance specifically designed to host role services. If the Software Appliance is the “command center,” then the Infrastructure Appliance is more like a pre-configured, ready-to-use “execution unit”: it provides a unified, controlled, and compliant operating environment for roles like Proxy, Mount Server, and Hardened Repository.

1. Why Choose Infrastructure Appliance

The reasons for choosing Infrastructure Appliance can be summarized in three points: fast, simple, secure. Veeam’s JeOS (Just enough OS) image built on Rocky 9 packages the operating system and runtime dependencies into a controlled, minimal distribution unit. When you deploy an Infrastructure Appliance, you’re essentially getting a Linux server optimized for backup roles according to best practices that’s ready to use out of the box.

In the previous articles of this series, we’ve installed and run the Veeam Software Appliance, experiencing its “secure by default” management approach. Now, let’s tackle a question many people genuinely care about: How to enable Veeam Software Appliance to automatically receive updates in an offline environment, just like it would online. The official documentation mentions specifying a local mirror repository, but it doesn’t provide detailed instructions on how to build, sync, or configure certificates. Based on my lab testing, I’ll walk you through the complete process step by step.