How Malware Detection Works

Malware detection is managed by the Veeam Data Analyzer Service. The service restarts once a day at 12:00 AM and starts a new malware detection session. During the session, the Veeam Data Analyzer Service performs the following operations:

  • Checks updates for the list of known suspicious files and extensions. For more information, see Managing List of Suspicious Files and Extensions.
  • Sends an email notification about all malware detection events that were created within the last 24 hours. For more information, see Notifications.
  • Initiates a scan session using a specific malware detection method if there is new backup data that needs to be scanned. Otherwise, the service waits for new data to appear.

If malware activity is detected, the Veeam Data Analyzer Service does the following:

  1. Creates a malware detection event.
  2. Marks the machine and the restore point where malware activity was detected for the first time as Suspicious or Infected.


All next restore points created by the original backup job and any additional jobs (backup copy job, backup to tape job, and so on) that include the scanned machine will also be marked as Suspicious or Infected until the machine is marked as clean. For more information, see Managing Malware Status.

The malware status of machines and restore points is displayed only in the Veeam Backup & Replication console. If you perform restore operations using standalone applications, for example, Veeam Agent for Microsoft Windows, information about the malware status will not be available.


Page updated 1/31/2024

Page content applies to build