Our website uses cookies!
By continuing to use our website, you agree with our use of cookies in accordance with our Cookie Policy. You can reject cookies by changing your browser settings.
OK, GOT IT
Veeam Backup & Replication 10
User Guide for VMware vSphere
Related documents
Search this document

Antivirus XML Configuration File

The antivirus software that you plan to use for scanning backups is described in the AntivirusInfos.xml file. Veeam Backup & Replication creates this configuration file on every machine with the mount server role and stores the file in the %ProgramFiles%\Common Files\Veeam\Backup and Replication\Mount Service folder.

During secure restore, Veeam Backup & Replication reads settings from the configuration file and triggers the antivirus to scan backup files. The settings in the file are already predefined for the following antivirus software:

If you want to scan machine data with other antivirus software, you must add configuration for this software to the AntivirusInfos.xml file. The configuration must contain the same elements and attributes as the antiviruses supported out-of-the-box. Mind that the antivirus software must support the command line interface (CLI).

Antivirus XML Configuration FileNote:

If you made changes to the antivirus configuration file, you do not need to restart Veeam services on the backup server — Veeam Backup & Replication will perform the next malware scan with new settings.

XML File Structure

The XML file describing antivirus settings has the following structure:

<Antiviruses>
  <!-- Symantec -->
  <AntivirusInfo Name='Symantec' IsPortableSoftware='false' ExecutableFilePath='Veeam.Backup.Antivirus.Scan.exe' CommandLineParameters='/p:%Path%' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\symcscan' ServiceName='symcscan' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
     <ExitCodes>
        <ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
        <ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
        <ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
        <ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
        <ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
     </ExitCodes>
  </AntivirusInfo>
   <!-- Eset -->
  <AntivirusInfo Name='Eset File Security' IsPortableSoftware='true' ExecutableFilePath='%ProgramFiles%\ESET\ESET File Security\ecls.exe' CommandLineParameters='%Path% /clean-mode=None /no-symlink' RegPath='' ServiceName='' ThreatExistsRegEx='threat\s*=\s*["&apos;](?!is OK["&apos;])[^"&apos;]+["&apos;]' IsParallelScanAvailable='false'>
     <ExitCodes>
        <ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
        <ExitCode Type='Infected' Description='Virus threat was detected'>1</ExitCode>
        <ExitCode Type='Warning' Description='Some files were not scanned'>10</ExitCode>
        <ExitCode Type='Infected' Description='Virus threat was detected'>50</ExitCode>
        <ExitCode Type='Error' Description='Antivirus scan was completed with errors'>100</ExitCode>
     </ExitCodes>
  </AntivirusInfo>
  <AntivirusInfo Name='ESET Antivirus' IsPortableSoftware='true' ExecutableFilePath='%ProgramFiles%\ESET\ESET Security\ecls.exe' CommandLineParameters='%Path% /clean-mode=None /no-symlink' RegPath='' ServiceName='' ThreatExistsRegEx='threat\s*=\s*["&apos;](?!is OK["&apos;])[^"&apos;]+["&apos;]' IsParallelScanAvailable='false'>
     <ExitCodes>
        <ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
        <ExitCode Type='Infected' Description='Virus threat was detected'>1</ExitCode>
        <ExitCode Type='Warning' Description='Some files were not scanned'>10</ExitCode>
        <ExitCode Type='Infected' Description='Virus threat was detected'>50</ExitCode>
        <ExitCode Type='Error' Description='Antivirus scan was completed with errors'>100</ExitCode>
     </ExitCodes>
  </AntivirusInfo>
   <!-- Windows Defender -->
  <AntivirusInfo Name='Windows Defender' IsPortableSoftware='false' ExecutableFilePath='%ProgramFiles%\Windows Defender\mpcmdrun.exe' CommandLineParameters='-Scan -ScanType 3 -File %Path% -DisableRemediation -BootSectorScan' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend' ServiceName='WinDefend' ThreatExistsRegEx='Threat\s+information' IsParallelScanAvailable='false'>
     <ExitCodes>
        <ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
        <ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
        <ExitCode Type='Infected' Description='Virus threat was detected'>2</ExitCode>
     </ExitCodes>
  </AntivirusInfo>
   <!-- Kaspersky Security -->
  <AntivirusInfo Name='Kaspersky Security' IsPortableSoftware='false' ExecutableFilePath='kavshell.exe' CommandLineParameters='scan %Path%' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\KAVFS' ServiceName='kavfs' ThreatExistsRegEx='' IsParallelScanAvailable='false'>
     <ExitCodes>
        <ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
        <ExitCode Type='Warning' Description='There were processing errors for some files'>-82</ExitCode>
        <ExitCode Type='Warning' Description='Some files were not scanned'>-83</ExitCode>
        <ExitCode Type='Warning' Description='Some files were corrupted'>-84</ExitCode>
        <ExitCode Type='Error' Description='Operation timed out'>2</ExitCode>
        <ExitCode Type='Error' Description='Antivirus scan was canceled'>1</ExitCode>
        <ExitCode Type='Error' Description='Service process is not running'>-2</ExitCode>
        <ExitCode Type='Error' Description='Access denied'>-3</ExitCode>
        <ExitCode Type='Error' Description='Object not found'>-4</ExitCode>
        <ExitCode Type='Error' Description='Invalid syntax'>-5</ExitCode>
        <ExitCode Type='Error' Description='Invalid operation'>-6</ExitCode>
        <ExitCode Type='Error' Description='Service does not exist'>-7</ExitCode>
        <ExitCode Type='Error' Description='Service disabled'>-8</ExitCode>
        <ExitCode Type='Error' Description='Service logon failure'>-9</ExitCode>
        <ExitCode Type='Error' Description='Unable to create file'>-10</ExitCode>
        <ExitCode Type='Error' Description='Invalid command line argument'>-11</ExitCode>
        <ExitCode Type='Error' Description='Invalid password'>-12</ExitCode>
        <ExitCode Type='Error' Description='Cannot create report file'>-85</ExitCode>
        <ExitCode Type='Error' Description='License is invalid'>-301</ExitCode>
        <ExitCode Type='Error' Description='Antivirus bases are corrupted'>-236</ExitCode>
        <ExitCode Type='Infected' Description='Infected object was detected'>-80</ExitCode>
        <ExitCode Type='Infected' Description='Possibly infected object was detected'>-81</ExitCode>
     </ExitCodes>
  </AntivirusInfo>
</Antiviruses>

 

The XML file contains the following elements:

  • Antiviruses. The element encapsulates the file with antivirus settings.
  • AntivirusInfo. The element describes the antivirus software.
  • ExitCodes. The element encapsulates messages that Veeam Backup & Replication displays on scan results.
  • ExitCode. The element describes the subject and the body of the message that Veeam Backup & Replication displays on scan results.

AntivirusInfo

The element has the following attributes:

Attribute

Description

Name

Specifies the antivirus name. Veeam Backup & Replication will display this name in restore session logs.

IsPortableSoftware

Indicates if antivirus software is portable:

  • If you set this attribute to True, Veeam Backup & Replication will treat the antivirus software as portable. Before performing secure restore, Veeam Backup & Replication will verify if the antivirus executable file exists. The path to the file is specified by the ExecutableFilePath attribute.
  • If you set this attribute to False, Veeam Backup & Replication will treat the antivirus software as non-portable. Before performing secure restore, Veeam Backup & Replication will verify if the antivirus registry key exists and if the antivirus service is running.
    The key is specified by the RegPath attribute. The service name is specified by the ServiceName attribute.

ExecutableFilePath

Specifies the path to the antivirus executable file.

CommandLineParameters

Specifies antivirus commands that you want to execute during the scan. Make sure that the antivirus supports the specified commands. For example, the list of commands for ESET is available in this ESET KB article.

Note: The %Path% variable is required for this attribute. During secure restore, Veeam Backup & Replication substitutes this variable for the path to the folder with mounted disks (C:\VeeamFLR\<machinename>).

ServiceName

Specifies the name of the antivirus service. The service must be responsible for data scanning. The attribute value can be an empty string if IsPortableSoftware = True and ExecutableFilePath is specified.

RegPath

Specifies the registry key of the anitivirus service. The attribute value can be an empty string if IsPortableSoftware = True and ExecutableFilePath is specified.

ThreatExistsRegEx

Specifies regular expressions. A regular expression is a sequence of characters that form a search pattern. Veeam Backup & Replication will search the antivirus output messages for the specified regular expression. If any of the output messages match the expression, Veeam Backup & Replication will notify you on detected threat.

Note: You must have a good understanding of the regular expression language to specify this attribute properly. For more information on the regular expression language, see Microsoft Docs.

IsParallelScanAvailable

Indicates if the antivirus will run multiple jobs to scan files on mounted disks simultaneously.

If you set this attribute to True, Veeam Backup & Replication will lock the antivirus to perform the scan for the current restore session. The antivirus will not be available for other sessions with enabled secure restore until the scan completes.

The default value for antivirus lock time-out is 24 hours. If the scan does not complete after this period, Veeam Backup & Replication will finish other restore sessions as specified in the restore wizard: abort restore sessions or restore machines (or its disks) with restrictions.

Note: You can change the lock time-out using registry keys. For more information, contact Veeam Support.

If the antivirus CLI does not support multiple scan jobs, set this attribute to False.

ExitCode

The element has the following attributes:

Attribute

Description

Type

Specifies the subject of the message that Veeam Backup & Replication will display on scan results:

  • Success
  • Infected
  • Warning
  • Error

Description

Specifies the body of the message that Veeam Backup & Replication will display on scan results.

 

 

Antivirus XML Configuration FileTip:

You can distribute the XML configuration file among other mount servers in your backup infrastructure using Veeam PowerShell. For more information, see the Copy-VBRAntivirusConfigurationFile section in the Veeam PowerShell Reference.

Related Topics

How Secure Restore Works

This Document Help Center
User Guide for VMware vSphereUser Guide for Microsoft Hyper-VVeeam Backup Enterprise Manager GuideVeeam Agent Management GuideVeeam Cloud Connect GuideVeeam Explorers User GuideVeeam Plug-ins for Enterprise Applications GuideVeeam PowerShell ReferenceVeeam Explorers PowerShell ReferenceVeeam RESTful API ReferenceRequired Permissions for VMware vSphereQuick Start Guide for VMware vSphereQuick Start Guide for Microsoft Hyper-VVeeam Backup for AWS DocumentationVeeam Availability for Nutanix AHV DocumentationVeeam Backup for Microsoft Office 365 DocumentationVeeam ONE DocumentationVeeam Agent for Windows DocumentationVeeam Agent for Linux DocumentationVeeam Management Pack Documentation
I want to report a typo

There is a misspelling right here:

 

I want to let the Veeam Documentation Team know about that.