Inline Scan

To scan blocks in a data stream, Veeam Backup & Replication uses inline entropy analysis. During the backup job, the following malware activity can be detected:

  • Files encrypted by malware. A malware detection event will be created if the amount of encrypted data exceeds scan sensitivity limits.
  • Text artifacts created by malware:
    • V3 onion addresses that consist of 56 symbols in the [a-z2-7]{56}.onion format. For example, vykenniek4sagugiayj3z32rpyrinoadduprjtdy4wharue6cz7zudid.onion.
    • Ransomware notes created by Medusa and Clop.

A malware detection event will be created if a new restore point contains more onion addresses or ransomware notes than the previous restore point selected for comparison. If both restore points contain the same number of onion addresses or ransomware notes, a malware detection event will not be created. For more details, see How Inline Scan Works.

Note

Inline scan is disabled by default when you install or upgrade to a new version of Veeam Backup & Replication. If you want to use this functionality, consider the following:

  • Scanning may increase CPU usage (10-15% on average) on the backup proxy, depending on the workload type and amount of data.
  • Scanning may increase RAM usage on the backup server, depending on the amount of data. To analyze 1 million files on a machine, inline scan requires approximately 50 MB RAM.

Supported Scenarios

When performing backup jobs, you can scan blocks in a data stream from the following machines:

  • VMware VMs including VMware Cloud Director VMs
  • Hyper-V VMs
  • Machines with Veeam Agent for Microsoft Windows operating in the managed by backup server mode (volume-level backup only)

Requirements and Limitations

The inline scan has the following requirements and limitations:

  • Scanning is supported only for simple volumes and for the following file systems: NTFS, ext4, ext3, ext2.
  • Scanning dynamic disks and disks encrypted by BitLocker is not supported.
  • To store ransomware data, you need enough disk space on the backup server. The disk space calculation is based on the following data:
    • The number of machines.
    • Used disk space per machine.
    • The number of restore points per machine.

Storing ransomware data per machine requires approximately 270 KB of disk space on the backup server per each 10 GB of used disk space multiplied by the number of restore points.

For example, a machine has 200 GB of used space and 10 restore points. Storing ransomware data for this machine requires 54 MB (270 KB * 20 * 10 restore points).    

  • Text artifacts will be detected only if the following conditions are met:
  • The block size of the file system is 4 KB.
  • Text file has the UTF-8 encoding.
  • Text file is not stored in the Master File Table (MFT).
  • Detection of "sleeping" malware is not supported.
  • Some file types may be unintentionally marked as suspicious during inline scan, for example, Linux packages with LZMA compression, files encrypted with Windows EFS, specific ISO files, and so on. If you have such files, you can mark related malware detection events as false-positive. For more information, see Managing Malware Status.

In This Section

Page updated 11/8/2024

Page content applies to build 12.3.0.310