How Scan Backup Works
For Scan Backup session, malware detection works in the following way:
- Veeam Backup & Replication mounts disks of the machine that you plan to scan to the mount server.
- On the mount server, Veeam Backup & Replication runs the Veeam Mount Service to perform the following steps:
- Mount machine disks from backups to the mount server under the C:\VeeamFLR\<machinename> folder.
- Initiate a new scan session.
- If you search for the last clean restore point using Veeam Threat Hunter, third-party antivirus software, or YARA, consider the following:
- If a clean restore point is found, the Scan Backup session will be finished with the Success status. The malware detection event will not be created.
- If a clean restore point is not found, the Scan Backup session will be finished with the Failed status. The malware detection event will be created for each restore point. Objects will be marked as Infected.
- If you check the restore point for sensitive data using YARA, consider the following:
- If sensitive data is found, the Scan Backup session will be finished with the Failed status.
- If sensitive data is not found, the Scan Backup session will be finished with the Success status.
In both cases, the malware detection event will not be created.
By default, the mount server role is assigned to the backup server or a backup repository. However, you can assign the mount server role to any 64-bit Microsoft Windows machine in your backup infrastructure. For example, you may want to run the malware detection scan on a different server for security reasons. For more information about mount server deployment and requirements, see Mount Servers.