Multiple Deleted Files

To detect the deletion of multiple files, the Veeam Data Analyzer Service compares guest indexing data from two restore points. The later restore point will be compared with the earliest restore point from the same 25-hour period. If there is no restore point, the scan will use the most recent restore point from the same 30-day period. If the deletion of multiple files is present only in the later restore point, a malware detection event is created.

A malware detection event will be created if the following conditions are met:

At least 100 files with a specific extension have been deleted.
The percentage of deleted files compared to the total amount of files with this extension is more than 50%.

Tracked extensions can be found in the TrackedFiles.xml file. The default path is C:\Program Files\Veeam\Backup and Replication\Backup\TrackedFiles.xml.

You can configure tracked file extensions in the following way:

Change the file thresholds.
Add and remove file extensions.
Add ignored folders.

Changing File Thresholds

To change scan sensitivity, open the TrackedFiles.xml file and specify new values for the following thresholds:

Thresholdpercent — the percentage of files with the specified extension that must be deleted before a malware detection event is created. The default value is 50.
Thresholdfiles — the minimum number of files with the specified extension that must be deleted before a malware detection event is created. The default value is 100.

Make sure that you configure the values correctly. During a scan, both thresholds must be reached to trigger a malware detection event.

Note

When a malware detection event is marked as a false positive, the file deletion detection threshold will be automatically increased by 5 percent to a maximum of 90 percent.

Adding and Removing File Extensions

To start tracking a custom file extension, open the TrackedFiles.xml file and add the FileMaskData element with the following attributes:

<FileMaskData>
<FileMask>.%fileextension%</FileMask>
<ThresholdPercent>%1-100%</ThresholdPercent>
<ThresholdFiles>%integer%</ThresholdFiles>
</FileMaskData>

To stop tracking specific file extensions, delete the FileMaskData element for the file extension in the TrackedFiles.xml file. You can also remove default extensions.

Adding Ignored Folders

By default, ignored folders are inherited from the SuspiciousFiles.xml file and located at the beginning of the TrackedFiles.xml file. To add a specific folder to the ignored paths:

Open the TrackedFiles.xml file.
Go to the IgnoredPaths element.
Add a new Path attribute with the folder name as shown in the example below.

<IgnoredPaths>
<Path>$Recycle.Bin</Path>
<Path>System Volume Information</Path>
<Path>~Example Folder Name~</Path>
</IgnoredPaths>