Inline Scan

To scan blocks in a data stream, Veeam Backup & Replication uses inline entropy analysis. During the backup job, the following malware activity can be detected:

  • Files encrypted by malware. A malware detection event will be created if the amount of encrypted data exceeds scan sensitivity limits.
  • Text artifacts created by malware:
    • V3 onion addresses that consist of 56 symbols in the [a-z2-7]{56}.onion format. For example, vykenniek4sagugiayj3z32rpyrinoadduprjtdy4wharue6cz7zudid.onion. A malware detection event will be created if at least one onion address is found.
    • Ransomware notes created by Medusa and Clop. A malware detection event will be created if at least one ransomware note is found.


This functionality is disabled by default when you install or upgrade to Veeam Backup & Replication 12.1 (build If you want to use it, consider that depending on the amount of data, the inline scan may increase CPU usage on backup proxies (10-15% higher on average).

Supported Scenarios

You can scan blocks in a data stream when backing up the following machines:

  • VMware VMs including VMware Cloud Director VMs
  • Hyper-V VMs
  • Machines with Veeam Agent for Microsoft Windows operating in the managed mode (volume-level backup only)

Requirements and Limitations

The inline scan has the following requirements and limitations:

  • Scanning is supported only for simple volumes and for the following file systems: NTFS, ext4, ext3, ext2.
  • Scanning dynamic disks and disks encrypted by BitLocker is not supported.
  • To store ransomware data, you need enough disk space on the backup server. The disk space calculation is based on the following data:
    • The number of machines.
    • Used disk space per machine.
    • The number of restore points per machine.

Storing ransomware data per machine requires approximately 270 KB of disk space on the backup server per each 10 GB of used disk space multiplied by the number of restore points.

For example, a machine has 200 GB of used space and 10 restore points. Storing ransomware data for this machine requires 54 MB (270 KB * 20 * 10 restore points).    

  • Text artifacts will be detected only if the following conditions are met:
  • The block size of the file system is 4 KB.
  • Text file has the UTF-8 encoding.
  • Text file is not stored in the Master File Table (MFT).
  • Detection of "sleeping" malware is not supported.
  • Some file types may be unintentionally marked as suspicious during inline scan, for example, Linux packages with LZMA compression, files encrypted with Windows EFS, specific ISO files, and so on. If you have such files, you can mark related malware detection events as false-positive. For more information, see Managing Malware Status.

In This Section

Page updated 2/20/2024

Page content applies to build