How Orchestrator Performs Ransomware Scan

Before you run a cloud plan to recover a machine to the production environment, Orchestrator allows you to perform ransomware scan for the protected machine using Veeam Secure Restore.

When running a cloud plan, Orchestrator performs ransomware scan in the following way:

  1. Disks of the machine that is being restored are mounted to the mount server.
  2. On the mount server, antivirus software is triggered to scan files from the mounted disks.
  3. Orchestrator iterates through the number of restore points specified while running the plan one by one to detect a restore point with no viruses.
  4. If a clean restore point is detected, Orchestrator successfully restores the machine to the selected recovery location.

If no clean restore point is detected, Orchestrator either halts the plan or restores the machine to a quarantine network depending on the configured restore point settings.


If restore points of all machines included in the plan are stored in one repository, Orchestrator will process machines one by one. This process may take a while, affecting the plan RTO.

The results of ransomware scan are included in the Readiness Check and Plan Execution reports.

Requirements and Limitations for Ransomware Scan

To allow Orchestrator to perform ransomware scan, the following prerequisites must be met:

  • Ransomware scan is supported only for Windows-based machines and for restore points stored in on-premises repositories only.
  • The Veeam Backup & Replication server that manages the process of recovering machines to Microsoft Azure must run version 12 or later.
  • Antivirus software must be installed on the mount server and support the command line interface (CLI). The following antivirus software is supported: Microsoft Defender, Kaspersky, ESET and Symantec Protection Engine.