Malware Detection Methods

Veeam Backup & Replication supports the following malware detection methods:

Malware detection method	Scan objects	Notes
File system activity analysis	Guest indexing data	During the backup job, detects the following malware activity: Known suspicious files and extensions Indicators of compromise Deleted files Extension changes Marks objects as Suspicious. For more information, see Guest Indexing Data Scan.
Inline entropy analysis	Blocks in a data stream	During the backup job, detects the following malware activity: Encrypted files Onion links Ransom notes Marks objects as Suspicious. For more information, see Inline Scan.
Signature-based detection (Veeam Threat Hunter)	Restore points	During the Scan Backup session, finds the last clean restore point. For more information, see Veeam Threat Hunter for Scan Backup During the restore session with the Secure Restore option, detects malware activity. For more information, see Veeam Threat Hunter for Secure Restore. During the SureBackup job, detects malware activity. For more information, see SureBackup Job. Marks objects as Infected.
Third-party antivirus software	Restore points	During the Scan Backup session, finds the last clean restore point. For more information, see Antivirus Scan for Scan Backup. During the restore session with the Secure Restore option, detects malware activity as specified in the antivirus configuration file. For more information, see Antivirus Scan for Secure Restore. During the SureBackup job, detects malware activity. For more information, see SureBackup Job. Marks objects as Infected.
Rule-based detection (YARA)	Restore points	During the Scan Backup session, does one of the following: Finds the last clean restore point Analyzes the content for specific information For more information, see YARA Scan for Scan Backup. During the restore session with the Secure Restore option, detects malware activity as specified in the YARA rule. For more information, see YARA Scan for Secure Restore. During the SureBackup job, detects malware activity. For more information, see SureBackup Job. Marks objects as Infected.
Third-party malware protection solution	Depends on the configuration of the malware protection solution	Uses Veeam Incident API to send a request about detected malware activity to Veeam Backup & Replication. Marks objects as Infected. For more information, see Veeam Backup & Replication REST API Reference.