Veeam Backup & Replication 13
REST API Reference
Related documents

Malware Detection

The Malware Detection section defines paths and operations for managing malware events and scanning backups with antivirus software or YARA rules.

Get All Malware Events

The HTTP GET request to the /api/v1/malwareDetection/events path allows you to get an array of all malware events created on the backup server.

Available to: Veeam Backup Administrator, Incident API Operator.

SecurityBearer
Request
query Parameters
skip
integer <int32>

Number of events to skip.

limit
integer <int32>
Default: 200

Maximum number of events to return.

orderColumn
string (ESuspiciousActivityEventsFiltersOrderColumn)

Sorts events by one of the event parameters.

Enum: "Type" "DetectionTimeUtc" "CreationTimeUtc" "BackupObjectId" "State" "Source" "Severity" "CreatedBy" "Engine" "Details" "MachineName"
orderAsc
boolean

If true, sorts events in the ascending order by the orderColumn parameter.

typeFilter
Array of strings (ESuspiciousActivityType)

Filters events by event type.

Items Enum: "Unknown" "DeletedUsefulFiles" "RansomwareNotes" "MalwareExtensions" "EncryptedData" "YaraScan" "AntivirusScan" "RenamedFiles" "IndicatorOfCompromise"
detectedAfterTimeUtcFilter
string <date-time>

Returns events created after the specified time, in UTC.

detectedBeforeTimeUtcFilter
string <date-time>

Returns events created before the specified time, in UTC.

backupObjectIdFilter
string <uuid>

Filters events by backup object ID.

stateFilter
Array of strings (ESuspiciousActivityState)

Filters events by state.

Items Enum: "Created" "FalsePositive"
sourceFilter
Array of strings (ESuspiciousActivitySourceType)

Filters events by source type.

Items Enum: "Manual" "InternalVeeamDetector" "External" "MarkAsCleanEvent"
severityFilter
Array of strings (ESuspiciousActivitySeverity)

Filters events by severity.

Items Enum: "Clean" "Suspicious" "Infected" "Informative"
createdByFilter
string

Filters events by the createdBy pattern. To substitute one or more characters, use the asterisk (*) character at the beginning, at the end or both.

engineFilter
string

Filters events by the engine pattern. To substitute one or more characters, use the asterisk (*) character at the beginning, at the end or both.

machineNameFilter
string

Filters events by the machine.displayName pattern. To substitute one or more characters, use the asterisk (*) character at the beginning, at the end or both.

header Parameters
x-api-version
required
string
Default: 1.3-rev0

Version and revision of the client REST API. Must be in the following format: <version>-<revision>.

Responses
200

OK

401

Unauthorized. The authorization header has been expected but not found (or found but is expired).

403

Forbidden. The user sending the request does not have adequate privileges to access one or more objects specified in the request.

500

Internal server error. The request has been received but could not be completed because of an internal error at the server side.

get/api/v1/malwareDetection/events
Request samples 
Response samples 
application/json
{
  • "data": [
    ],
  • "pagination": {
    }
}
Create Malware Event
The HTTP POST request to the /api/v1/malwareDetection/events path allows you to create a new malware event.
Available to: Veeam Backup Administrator, Incident API Operator.


SecurityBearer 
Request 
header Parameters
x-api-version
required
string
 Default:  1.3-rev0
Version and revision of the client REST API. Must be in the following format: <version>-<revision>.


 
Request Body schema: application/json
required
detectionTimeUtc
required
string <date-time> 
Detection date and time, in UTC.


 
required
object (SuspiciousActivityMachineSpec) 
Machine that you want to mark with the malware event. Specify at least 2 parameters.
 Note that Veeam Backup & Replication can identify a machine by its FQDN, IPv4 address and IPv6 address only if the machine has been powered on during the backup. If you back up a powered-off machine, Veeam Backup & Replication will not get the machine IP addresses and domain name and will not be able to identify the machine.


 
details
required
string
Event description.


 
engine
required
string
Detection engine.


 
severity
string (ECreatingSuspiciousActivitySeverity) 
 Default:  "Infected"
Malware status enum for creating suspicious activity operation.


 Enum: "Infected" "Suspicious"  
Responses 
201
Malware event has been created.


400
Bad request. This error is related to POST/PUT requests. The request body is malformed, incomplete or otherwise invalid.


401
Unauthorized. The authorization header has been expected but not found (or found but is expired).


403
Forbidden. The user sending the request does not have adequate privileges to access one or more objects specified in the request.


500
Internal server error. The request has been received but could not be completed because of an internal error at the server side.


post/api/v1/malwareDetection/events
Request samples 
application/json
{
  • "detectionTimeUtc": "2019-08-24T14:15:22Z",
  • "machine": {
    },
  • "details": "string",
  • "engine": "string",
  • "severity": "Infected"
}
Response samples 
application/json
{
  • "data": [
    ],
  • "pagination": {
    }
}
Get Malware Event
The HTTP GET request to the /api/v1/malwareDetection/events/{id} path allows you to get a malware event that has the specified id. 
Available to: Veeam Backup Administrator, Incident API Operator.


SecurityBearer 
Request 
path Parameters
id
required
string <uuid> 
Event ID. To get the ID, run the Get All Malware Events request.


 
header Parameters
x-api-version
required
string
 Default:  1.3-rev0
Version and revision of the client REST API. Must be in the following format: <version>-<revision>.


 
Responses 
200
OK


401
Unauthorized. The authorization header has been expected but not found (or found but is expired).


403
Forbidden. The user sending the request does not have adequate privileges to access one or more objects specified in the request.


404
Not found. No object was found with the path parameter specified in the request.


500
Internal server error. The request has been received but could not be completed because of an internal error at the server side.


get/api/v1/malwareDetection/events/{id}
Request samples 
Response samples 
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "type": "Unknown",
  • "creationTimeUtc": "2019-08-24T14:15:22Z",
  • "detectionTimeUtc": "2019-08-24T14:15:22Z",
  • "machine": {
    },
  • "state": "Created",
  • "details": "string",
  • "source": "Manual",
  • "severity": "Clean",
  • "createdBy": "string",
  • "engine": "string"
}
Mark Infected Objects as Clean
The HTTP POST request to the /api/v1/malwareDetection/backupObjects/markAsClean path allows you to mark infected objects as clean.
Available to: Veeam Backup Administrator, Incident API Operator.


SecurityBearer 
Request 
header Parameters
x-api-version
required
string
 Default:  1.3-rev0
Version and revision of the client REST API. Must be in the following format: <version>-<revision>.


 
Request Body schema: application/json
required
objectIds
required
Array of strings <uuid> 
Array of backup object IDs to be marked as clean.


 
reason
required
string
Reason why the backup objects are marked as clean.


 
markRestorePointsAsClean
boolean
If true, marks all previous restore points as clean and all previous suspicious/infected events as false positive.


 
excludeFromDetection
boolean
If true, excludes the objects from the further scanning process.


 
noteForExclusion
string
Note for exclusion from detection.


 
Responses 
200
OK


400
Bad request. This error is related to POST/PUT requests. The request body is malformed, incomplete or otherwise invalid.


401
Unauthorized. The authorization header has been expected but not found (or found but is expired).


403
Forbidden. The user sending the request does not have adequate privileges to access one or more objects specified in the request.


500
Internal server error. The request has been received but could not be completed because of an internal error at the server side.


post/api/v1/malwareDetection/backupObjects/markAsClean
Request samples 
application/json
{
  • "BackupObjectMarkAsCleanSpecExample": {
    }
}
Response samples 
application/json
{ }
Get YARA Rules
The HTTP GET request to the /api/v1/malwareDetection/yaraRules path allows you to get YARA rules located in the Veeam Backup & Replication installation folder. The default path is %ProgramFiles%\Veeam\Backup and Replication\Backup\YaraRules. 
Available to: Veeam Backup Administrator, Veeam Restore Operator, Incident API Operator.


SecurityBearer 
Request 
header Parameters
x-api-version
required
string
 Default:  1.3-rev0
Version and revision of the client REST API. Must be in the following format: <version>-<revision>.


 
Responses 
200
OK


401
Unauthorized. The authorization header has been expected but not found (or found but is expired).


403
Forbidden. The user sending the request does not have adequate privileges to access one or more objects specified in the request.


404
Not found. No object was found with the path parameter specified in the request.


500
Internal server error. The request has been received but could not be completed because of an internal error at the server side.


get/api/v1/malwareDetection/yaraRules
Request samples 
Response samples 
application/json
{
  • "data": [
    ],
  • "pagination": {
    }
}
Scan Backups with Antivirus or YARA Rules
The HTTP POST request to the /api/v1/malwareDetection/scanBackup allows you to scan backups with antivirus or YARA rules.
Available to: Veeam Backup Administrator, Incident API Operator.


SecurityBearer 
Request 
header Parameters
x-api-version
required
string
 Default:  1.3-rev0
Version and revision of the client REST API. Must be in the following format: <version>-<revision>.


 
Request Body schema: application/json
required
required
Array of objects (BackupObjectPair) 
Array of objects containing the backup IDs and backup object IDs.


 
scanMode
required
string (EMalwareBackupScanMode) 
Backup scan mode.


 Enum Value Description
MostRecent
Use this mode if you think a cyber-attack started recently. Restore points will be scanned sequentially, starting from the most resent restore point, until a malware-free restore point is found.


AllInInterval
Use this mode to scan backup content with necessary YARA rules. Restore points will be scanned sequentially and a malware event will be initiated.


FirstInInterval
Use this mode if you are not sure when the attack started. Restore points will be scanned in optimal order until a malware-free restore point is found.


 
required
object (MalwareBackupScanSpecEngine) 
Type of backup scan engine.


 
object (MalwareBackupScanRange) 
Backup scan range. If you do not specify this parameter, Veeam Backup & Replication will scan all available restore points.


 
continueScan
boolean
If true, the backup scan will continue even after it finds affected restore points.


 
Responses 
201
A SureBackup session has been created to scan the backup. To check the progress, track the session state.


400
Bad request. This error is related to POST/PUT requests. The request body is malformed, incomplete or otherwise invalid.


401
Unauthorized. The authorization header has been expected but not found (or found but is expired).


403
Forbidden. The user sending the request does not have adequate privileges to access one or more objects specified in the request.


500
Internal server error. The request has been received but could not be completed because of an internal error at the server side.


post/api/v1/malwareDetection/scanBackup
Request samples 
application/json
{
  • "backupObjectPair": [
    ],
  • "scanMode": "AllInInterval",
  • "scanEngine": {
    }
}
Response samples 
application/json
{
  • "sessionType": "SureBackup",
  • "state": "Starting",
  • "platformName": null,
  • "id": "a330c612-07b2-4c3a-adbf-0007f904bbfd",
  • "name": "Scan Backup",
  • "jobId": "34b77de9-d5e2-4752-aff8-929bc428e80f",
  • "creationTime": "2024-11-11T12:34:46.027793",
  • "endTime": null,
  • "progressPercent": 0,
  • "result": null,
  • "resourceId": null,
  • "resourceReference": null,
  • "parentSessionId": null,
  • "usn": 0,
  • "platformId": null
}