Malware detection scanned a suspicious file from backup but the file is actually legit and so I marked it as clean and Exclude. If I modify the same file for testing purposes, will the malware detection flag it as safe, legit file since I marked it Clean and Exclude? Or it will be detected as suspicious again? Thanks.
Question
Malware Detection on Veeam Backup & Replication v13
+21If you excluded it then it should technically not be detected again however it is possible Veeam sees it changed and scan it again.
So when it scans it again because file has been modified and if it matches the criteria for suspicious malware file then it will flag it again? I want to confirm that it will flag it as suspicious after modifying in the scenario that the file becomes potentially compromised.
Searching the web and found this and if this is a true statement from Veeam:
If a file marked as "clean and excluded" is modified, Veeam Backup & Replication will likely rescan it in future jobs, and it will be flagged as suspicious again if it matches malware signatures. The exclusion is based on the specific state/signature of the file at the time it was marked clean.
Veeam +2
The "mark as clean" action in Veeam is generally persistent for that specific restore point and subsequent restore points in a backup chain, provided no new malware event is detected. However, modifying a file fundamentally changes its signature or content, which means:
Veeam +1
- The original "clean" status is invalidated because the file is no longer the exact same object.
- The modified file will be treated as a new or changed file during the next backup and subsequent malware scan.
- If the new content or changes trigger the detection mechanisms (signature-based scan or entropy analysis), Veeam will mark it as suspicious again.
Veeam +2
This behavior is a crucial security feature designed to prevent a malicious file from being "whitelisted" indefinitely if it is later changed to contain actual malware. You would need to re-evaluate the file and potentially mark the new instance as clean again if it is a false positive.
+21Yeah I figured it would rescan it which is a good thing and answers your question.
+21
If indeed Veeam re-marks the file as suspicious after a change..that would make sense, but I can also see it not doing so depending on the change made. I’m not sure, for example, if you make a superficial file name change..that would cause it to come back as suspicious again. Changing the actual contents I could see it coming back as potentially suspicious again though, depending on what the content change is.
Best.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.