Skip to main content

 

What is Scan Backup?
Scan Backup is a feature introduced in Veeam Backup & Replication v12.1 that focuses on early threat detection by scanning restore points for potential malware or other cyber threats. This functionality enhances data security by allowing administrators to identify clean restore points after a malware attack.

How Does It Work?
The Scan Backup process utilizes a rule-based detection approach like antivirus software. Here's how it operates:

  1. Restore Point Scanning: You can initiate a Scan Backup session to examine restore points for signs of malware or other threats.
  2. Detecting Clean Restore Points:
    • Post-Attack Recovery: If a malware attack is suspected, the scan can identify the last clean restore point, helping you revert to a safe state.
    • Unknown Attack Dates: If the exact date of the malware attack is unclear, the scan can help find the most recent unaffected backup.
  3. Sensitive Data Search: The scan can also be used to search for specific information within backups, such as sensitive data that may need to be protected or identified.

The Scan Backup session for malware detection operates as follows:

  1. Disk Mounting: Veeam Backup & Replication mounts the disks of the machine you want to scan to a designated mount server.
  2. Using Veeam Mount Service: On the mount server, the Veeam Mount Service performs these steps:
    • It mounts the machine's disks from the backups to the directory C:\VeeamFLR\<machinename>.
    • It initiates a new scan session.
  3. Malware Detection:
    • Finding a Clean Restore Point:
      • If a clean restore point is found using antivirus software or YARA rules, the Scan Backup session concludes with a Success status, and no malware detection event is created.
      • If a clean restore point is not found, the session ends with a Failed status, and a malware detection event is created for each restore point, marking those objects as Infected.
  4. Sensitive Data Check:
    • If sensitive data is detected using YARA rules, the Scan Backup session finishes with a Failed status.
    • If no sensitive data is found, the session concludes with a Success status, and no malware detection event is created.
  5. Mount Server Configuration: By default, the mount server role is assigned to the backup server or a backup repository. However, you can assign this role to any 64-bit Microsoft Windows machine within your backup infrastructure. This allows for running malware detection scans on a separate server for enhanced security.

For more details on deploying and configuring mount servers, refer to the Mount Servers documentation.

 

Supported Backups:

  • Image-Level Backups: Works with image-level backups of virtual machines (VMs) across various platforms, including VMware, Hyper-V, Cloud Director, Nutanix AHV, OLVM, RHV, and Proxmox VE.
  • Physical Machine Backups: Supports image-level backups and backup copies for Microsoft Windows physical machines.

Unsupported Backups:

  • Linux VM image-level backups and their copies.
  • Storage snapshots.
  • Backups stored on Veeam Cloud Connect or on the SOBR (Scale-Out Backup Repository) archive tier.

Summary

The Scan Backup feature in Veeam provides an essential layer of security by enabling organizations to quickly identify clean restore points and protect against potential threats. It significantly aids in disaster recovery planning and incident response by ensuring that backups are secure and recoverable.

https://helpcenter.veeam.com/docs/backup/vsphere/malware_detection_scan_backup.html?ver=120

No I have not tried scan backup but will now. 😁

Great article and explanation Sean.  Love seeing Veeam evolve.


Keep in mind that this is a different feature then the inline scanning.


Keep in mind that this is a different feature then the inline scanning.

Oh absolutely.  I definitely knew that.  😉


@Madi.Cristil @safiya - can you change this to a Discusson topic from a question.  It is about a feature so not a question.


trying to figure out how to edit it…

 


@SSimpson - yep, I have...and wrote a little about this in my “Malware” posts. Linux currently isn’t supported, but hear it should be coming “soon” (such an inprecise word 😉 ). Good post!


trying to figure out how to edit it…

 

Once posted you cannot edit it and Admins need to change it.  😉

 
 
 

I forgot it was an option to scan outside of a SureBackup or a restore or inline scanning.  I need to play with this feature because it looks awesome!  Thanks for posting this!


I already used this feature and really like it. thanks for the write up


Comment