How Inline Scan Works
For inline scan, malware detection works in the following way:
- During the backup job, Veeam Backup & Replication analyzes data blocks metadata and saves ransomware data in the temporary folder on the backup proxy. A file in the RIDX format is created for each disk and contains the following information:
- Disk metadata (disk name, creation time, disk size, used size, sector size, partition table)
- Ransomware data for each data block (encrypted data, file types, onion addresses, ransomware notes)
Note |
If LZMA headers are found, they will be excluded from encrypted data calculation to decrease the number of false positive events. |
- When the backup job is complete, ransomware data is saved in the VBRCatalog folder on the backup server. By default, the path is %volume%:\VBRCatalog\Index\Machines\%machine_name%\%date%%guid%\ransomwareidx. The Veeam Guest Catalog Service notifies the Veeam Data Analyzer Service about new data that needs to be scanned.
- The Veeam Data Analyzer Service checks last scan results in the RansomwareIndexAnalyzeState.xml file located in the VBRCatalog folder and initiates a new inline scan. The scan is also initiated if the Veeam Data Analyzer Service gets new indexing data after the service starts.
- During the scan, the Veeam Data Analyzer Service compares a new restore point with the earliest one created for the last 25 hours. For example, two restore points were created 10 and 5 hours ago. The new restore point will be compared with the restore point created 10 hours ago.
If the previous restore point was not created for the last 25 hours, the service tries to find the nearest restore point created for the last 30 days. For example, two restore points were created 2 days and 10 days ago. The new restore point will be compared with the restore point created 2 days ago.
- The Veeam Data Analyzer Service compares the last and previous RIDX files and updates the RansomwareIndexAnalyzeState.xml file. If malware activity is detected, the service will create a malware detection event and mark objects as Suspicious.
If the previous RIDX file is not found, the Veeam Data Analyzer Service will perform a full disk read operation to create a RIDX file. In this case, the job session will last longer than usual but the size of the incremental backup file will not be affected. During this operation the Changed Block Tracking (CBT) option will not be used. For more information about the option, see Changed Block Tracking.
A full disk read operation will also be performed if you add a new disk to the VM.
Note |
The first RIDX file is used as a source for the first scan session and will not be analyzed after creation. |