Guest Indexing Data Scan

To scan guest indexing data, Veeam Backup & Replication uses file system activity analysis. During the backup job, the following malware activity can be detected:

  • Known suspicious files and extensions specified in the SuspiciousFiles.xml file. The file is located on the backup server in the Veeam Backup & Replication product folder. The path by default: C:\Program Files\Veeam\Backup and Replication\Backup\SuspiciousFiles.xml.


Do not edit the SuspiciousFiles.xml directly. If you want to customize the list of suspicious files and extensions, you can do it in the malware detection settings. For more information, see Managing List of Suspicious Files and Extensions.

  • Multiple files renamed by malware. A malware detection event will be created if the following conditions are met:
    • There must be at least 200 renamed files with the same or different extensions.
    • These extensions are not specified in the SuspiciousFiles.xml file.
  • Multiple files deleted by malware. A malware detection event will be created if at least 25 files with specific extensions or 50% of files with specific extensions are deleted.


Detection of "sleeping" malware is not supported by this method.

You can scan guest indexing data when backing up the following machines:

  • VMware VMs including VMware Cloud Director VMs
  • Hyper-V VMs
  • Machines with Veeam Agent for Microsoft Windows operating in the managed mode (image-level and volume-level backup)

In This Section

Page updated 3/6/2024

Page content applies to build