How Malware Detection Works

Malware detection is managed by the Veeam Data Analyzer Service. The service restarts once a day at 12:00 AM and starts a new malware detection session. During the session, the Veeam Data Analyzer Service performs the following operations:

  • Checks for updates for the list of known suspicious files, extensions and indicators of compromise. For more information, see Configuring Guest Indexing Data Scan .
  • Sends an email notification about all malware detection events that were created within the last 24 hours. For more information, see Notifications.
  • Initiates a scan session using a specific malware detection method if there is new backup data that needs to be scanned. Otherwise, the service waits for new data to appear.

To transfer malware detection metadata, allow incoming connections from the backup proxy to the backup server on ports 2500 to 3300. For more information, see Ports.

If malware activity is detected, the Veeam Data Analyzer Service does the following:

  1. Creates a malware detection event.
  2. Marks the machine and the restore point where malware activity was detected for the first time as Suspicious or Infected.

Note

All next restore points created by the original backup job and any additional jobs (backup copy job, backup to tape job, and so on) that include the scanned machine will also be marked as Suspicious or Infected until the machine is marked as clean. For more information, see Managing Malware Status.

The malware status of machines and restore points is displayed only in the Veeam Backup & Replication console. If you perform restore operations using standalone applications, for example, Veeam Agent for Microsoft Windows, information about the malware status will not be available.

Page updated 11/29/2024

Page content applies to build 12.3.0.310