How Veeam Threat Hunter Works

Veeam Threat Hunter is a signature-based scan engine provided by Veeam. It is used as an alternative to third-party antivirus software to scan the restore points. The Veeam Threat Hunter Service is automatically installed on a mount server and runs in the background.

During the restore session, Veeam Threat Hunter scan works in the following way:

On the mount server, Veeam Backup & Replication runs the Veeam Mount Service to perform the following steps:

Mount machine disks from backups to the mount server under the C:\VeeamFLR\<machinename> folder.
Initiate a new scan session.

If Veeam Threat Hunter does not detect malware activity, Veeam Backup & Replication will restore the machine to the target location. The malware detection event will not be created.
If Veeam Threat Hunter detects malware activity, Veeam Backup & Replication will perform the following steps:

Abort the restore process or restore the machine with restrictions depending on secure restore settings.

Create the malware detection event and mark objects as Infected.

Note

Consider the following:

Veeam Threat Hunter checks updates for malware signatures before running the scan, but not more often than every 15 minutes. Note that the initial malware signature update may take longer than the subsequent updates.
By default, Veeam Threat Hunter checks all files on disks. If you want to add exclusions, see this KB article.
If you deploy a new installation of Veeam Backup & Replication, Veeam Threat Hunter will be selected as a default scan engine in the malware detection settings. The Veeam Threat Hunter Service will be automatically installed on a mount server when you add it to the backup infrastructure.
If you upgrade to Veeam Backup & Replication 12.3 or later, the Veeam Threat Hunter Service will be automatically installed on a mount server after the upgrade. For backward compatibility, third-party antivirus software will be selected as a default scan engine in the malware detection settings.