Skip to main content

Malware detection

  • September 26, 2024
  • 3 comments
  • 80 views
hs08
Forum|alt.badge.img+1
  • hs08
  • Comes here often

Hello,

Can someone here help me to understand about malware detection in Veaam.

  • What will happened if there any malware inside the source VM, will Veaam canceling the backup job?
  • As i know Veaam can integrate with other 3rd party antivirus vendor. If VBR server using Microsoft Defender, this mean Veaam will use Windows Defender to scanning the malware?
Handian - VMCE2024
coolsport00
leduardoserrano

3 comments

coolsport00
Forum|alt.badge.img+21
  • coolsport00
  • Veeam Legend
  • September 26, 2024

Hi @hs08  - 

No, the Malware Detection doesn't stop jobs. Depending on the "engine" you use (or both), Veeam funds Detection 'inline' or via 'file system analysis'. You'll receive a notification email of the Detection, as well as the VM marked in the Console. You'll then need to perform forensics on the VM to determine if the detected threat is legitimate or a false positive. 

I highly recommend reading this part of the User Guide...it's not too hard of a read:

https://helpcenter.veeam.com/docs/backup/vsphere/malware_detection.html?ver=120

If you don't use any 3rd party A/V then when you run a scan Backup task, yes, Veeam will use Defender. 

I also wrote a couple blogs on Malware Detection 

Hope that helps. 

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
hs08
Forum|alt.badge.img+1
  • hs08
  • Author
  • Comes here often
  • September 27, 2024

hi @coolsport00 

Thanks for reference article and i already read that but still have some questions below:

  • if the source VM infected then the VBR still do the backup job, so this mean malware detection act only detection and give us an alert?
  • When do the restoration, this mean restored VM still infected by malware and not cleaned by VBR?
  • If Antivirus Engine on source VM let say use Windows Defender, then on VBR server sophos for example. This mean malware detection on VBR will use sophos engine? On y mind if the VBR have different antivirus product with the source VM, we will have double protection. Am i right?
Handian - VMCE2024
coolsport00
Forum|alt.badge.img+21
  • coolsport00
  • Veeam Legend
  • September 27, 2024

To answer your questions:

  1. Yes, Veeam doesn’t stop taking a backup because it “potentially” detected malware. Yes, Veeam only does Malware Detection, not remediation. That is up to you, and that makes sense.
  2. No, not necessarily. When you get an alert/notification of potential Malware..YOU have to investigate, to include a Scan Backup operation to see if what Veeam found is legit or a false positive. You either clean the infection off manually or by the A/V tool, or after the Scan determine what was detected is a false pos and you then mark the VM as clean (shown in the Guide as well). During a Restore, depending on the type of Restore you’re doing, Veeam has the ability to do a Secure Restore, which is pretty much the exact same thing as Scan Backup operation but just does so during a Restore → Veeam will scan the VM for potential known viruses/malware using your org’s A/V tool. If not Defender, you have to create a XML File and place on the Mount Server used for Restore.
  3. Potentially. But, I don’t think it works that way. I think Veeam scans only what is deployed on all your machines (VMs). You may have to check with Veeam Support. But, I’m not sure why you’d have an additional A/V on just your VBR server and not everything else.

Hope that helps.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
Terms & ConditionsAccessibility statement