Managing List of Suspicious Files and Extensions

To keep the list of suspicious files and extensions up-to-date, select the Update malware definitions automatically check box. If the option is enabled, Veeam Backup & Replication will communicate with the Veeam Update Server (vbr.butler.veeam.com) daily and download the latest version of the SuspiciousFiles.xml file. The Veeam Data Analyzer Service checks the file for updates when the service restarts. By default, this occurs once a day at 12:00AM.

Note

If your backup server has limited internet access, you can update the list of suspicious files and extensions manually. For more information, see this Veeam KB article.

Adding Custom Suspicious Files and Extensions

To add custom files and extensions that should be marked as suspicious, perform the following steps:

From the main menu, select Malware Detection > General and click File masks to monitor.
Click Add next to the Suspicious files field.
Specify a file extension or a file name with or without extension. You can also use * and ? wildcard characters. For example:

bot.txt

bot

b?t

*.avi

Note

Malware detection scan is case-insensitive. You do not need to add extensions or file names with different cases, for example, bot and Bot.

Click OK.

Managing List of Suspicious Files and Extensions

Excluding Suspicious Files and Extensions

To exclude a file name or file extension listed in the SuspiciousFiles.xml file and ignore it during the scan, do the following:

From the main menu, select Malware Detection > General and click File masks to monitor.
Click Add > Extension next to the Trusted objects field.
Specify a file name or file extension as it is listed in the SuspiciousFiles.xml file (the FileMask tag). For example:

*.cryptoboss

Click OK.

Note

You can also add files and extensions to the trusted list from the Event Details window. For more information, see Viewing Malware Detection Events.

Managing List of Suspicious Files and Extensions

Excluding Files and Folders

To ignore a specific file or a folder during the scan, do the following:

From the main menu, select Malware Detection > General and click File masks to monitor.
Click Add > Path next to the Trusted objects field.
Specify a path to the file or folder. For example:

C:\Users\user1\New Folder\

C:\Users\user1\file.txt

/home/user1/Folder/

/home/user1/file.md

Click OK.

Note

Consider the following:

A path to the folder must include the last slash (" /" or "\" ) symbol.
Wildcard characters are not supported.
Excluding files and folders is applied only to the following malware activity types:

Known suspicious files and extensions
Renamed files
Deleted files

Managing List of Suspicious Files and Extensions

Exporting and Importing Custom Lists

You can export and import the list of custom files and extensions to/from a file in the XML format.

To export the list, do the following:

From the main menu, select Malware Detection > General and click File masks to monitor.
Click Export these filters.
Click Browse and select the folder to save the list.
Specify the name of the file and click Save.
Click OK.

Managing List of Suspicious Files and Extensions

To import the list, do the following:

From the main menu, select Malware Detection > General and click File masks to monitor.
Click Import existing list.

Important

The import operation will override files and extensions you specified earlier. It is recommended to export your current list before you import a new one.

Click Browse and select the folder where the file is located.
Select the file and click Open.
Click OK.

Managing List of Suspicious Files and Extensions

A valid XML Schema for the list must contain the following elements:

Element	Description
RansomwareExclusions	Root element.
Includes	Child element of the RansomwareExclusions element. Contains custom files and extensions that must be marked as suspicious. Can be empty.
Excludes	Child element of the RansomwareExclusions element. Contains files and extensions listed in the SuspiciousFiles.xml file that must be ignored during the guest indexing data scan. Can be empty.
Item (Includes/Excludes)	Child element of the Includes or Excludes element. Each Item contains a file extension or a file name with or without extension that must be marked as suspicious or ignored. Consider the following: File names and file extensions can include * and ? wildcard characters. File names and file extensions must not contain the following characters: <, >, :, ", \, /, \|. Use & to escape an ampersand (&). Note that files and extensions you want to exclude must be listed in the SuspiciousFiles.xml file.
IgnoredPaths	Child element of the RansomwareExclusions element. Contains specific files and folders that must be ignored during the guest indexing data scan. Can be empty.
Item (IgnoredPaths)	Child element of the IgnoredPaths element. Each Item contains a path to the specific file or folder that must be ignored. The element also has a specific Type attribute. Possible values: Absolute — Absolute paths Consider the following: A path to the folder must include the last slash (" /" or "\" ) symbol. File and folder names can contain spaces. Paths must not contain the following characters: <, >, ", \|,*,?. Use & to escape an ampersand (&).

Example:

</Includes>

<Item>*.cryptoboss</Item>

</Excludes>

<Item Type="Absolute">C:\Users\user1\New Folder\</Item>

<Item Type="Absolute">C:\Users\user1\file.txt</Item>

<Item Type="Absolute">/home/user1/Folder/</Item>

</IgnoredPaths>

</RansomwareExclusions>