Guest Indexing Data Scan
To scan guest indexing data, Veeam Backup & Replication uses file system activity analysis. During the backup job, the following malware activity can be detected:
- Known suspicious files and extensions specified in the SuspiciousFiles.xml file. The file is located on the backup server in the Veeam Backup & Replication product folder. The default path is: C:\Program Files\Veeam\Backup and Replication\Backup\SuspiciousFiles.xml.
Note |
Do not edit the SuspiciousFiles.xml directly. If you want to customize the list of suspicious files and extensions, you can do it in the malware detection settings. For more information, see Managing List of Suspicious Files and Extensions. |
- When multiple files are renamed, a malware detection event will be created if both conditions are met:
- At least 200 files with the same or different extensions are renamed within a single folder.
- These extensions are not specified in the SuspiciousFiles.xml file.
- When multiple files are deleted, a malware detection event will be created if both conditions are met:
- At least 100 files with a specific extension are deleted.
- The percentage of deleted files compared to the total amount of files with this extension is more than 50%.
Note |
You can edit the default settings for deleted files detection. For more information, see Configuring Settings for Deleted Files Detection. |
Event Logs
When a malware detection event occurs, a log file is created. The default path is C:\ProgramData\Veeam\Backup\Malware_Detection_Logs.
Logs older than 7 days are automatically archived on Mondays.
Supported Scenarios
Consider the following:
- You can only scan guest indexing data when backing up the following machines:
- VMware VMs including VMware Cloud Director VMs
- Hyper-V VMs
- Machines with Veeam Agent for Microsoft Windows
- Detection of "sleeping" malware is not supported by this method.
In This Section