How Guest Indexing Data Scan Works
For guest indexing data, malware detection works in the following way:
- When the backup job with enabled guest file system indexing is complete and indexing data is saved in the VBRCatalog folder on the backup server, the Veeam Guest Catalog Service notifies the Veeam Data Analyzer Service about new data that need to be scanned.
- The Veeam Data Analyzer Service checks last scan results in the GuestIndexAnalyzeState.xml file located in the VBRCatalog folder and initiates a new guest indexing data scan.
The guest indexing data scan is also initiated in the following situations:
- If the Veeam Data Analyzer Service gets new indexing data after the service starts.
- If you disable guest indexing data scan for some period of time and enable it again. Indexing data created during this time will be scanned.
- If you import backups with the enabled Import guest file system index data to the catalog check box.
If you upgrade to Veeam Backup & Replication 12.1 (build 126.96.36.1991), old indexing data will not be scanned.
- To detect known suspicious files and extensions, the Veeam Data Analyzer Service compares guest indexing data with the SuspiciousFiles.xml file. If you added a custom configuration, it is primarily used for comparison. For more information about the custom configuration, see Managing List of Suspicious Files and Extensions.
- To detect multiple files renamed or deleted by malware, the Veeam Data Analyzer Service compares a new restore point with the earliest one created for the last 25 hours. For example, two restore points were created 10 and 5 hours ago. The new restore point will be compared with the restore point created 10 hours ago.
If the previous restore point was not created for the last 25 hours, the service tries to find the nearest restore point created for the last 30 days. For example, two restore points were created 2 days and 10 days ago. The new restore point will be compared with the restore point created 2 days ago.
- The Veeam Data Analyzer Service writes scan results to the GuestIndexAnalyzeState.xml file. If malware activity is detected, the service will create a malware detection event and mark objects as Suspicious.
Information about detected malware activity is stored in malware detection logs. The path by default: C:\ProgramData\Veeam\Backup\Malware_Detection_Logs. Starting from Veeam Backup & Replication 12.1.1 (build 188.8.131.52), you can also view the detailed log in the Event Details window. For more details, see Viewing Malware Detection Events.