Skip to main content

Introduction
Backups are the last line of defense when cyberattacks strike. Veeam users rely on the platform to restore data quickly and reliably in critical situations. However, availability alone is not enough, backups must be trustworthy. To address this challenge, I created a Python script that uses the Veeam Data Integration API and runs the THOR APT Scanner against the presented restore point(s).

Who is Nextron, and what is THOR?
Nextron Systems specializes in forensic threat detection. Their flagship product, THOR, is widely used by incident response and security teams to uncover attacker tools and traces that traditional solutions may miss. Unlike classic antivirus integrations, THOR is designed to detect webshells, obfuscated scripts, malicious configurations, and backdoors, the kinds of artefacts that advanced attackers often leave behind. In addition, THOR parses system artefacts such as Windows Registry hives or Event Logs with dedicated modules, applying forensic rules that go far beyond a simple file-level scan. 

Why this matters for backups
Cybersecurity incidents such as ransomware and targeted attacks (APTs) often leave behind more than just malware. They can include persistence mechanisms, changes to configurations, or manually placed backdoors that may remain hidden in backup files. Standard antivirus integrations are a useful baseline. However, supplementing them with forensic analysis and more sensitive detection methods during backup scans can help identify these threats. This approach increases the likelihood that restored systems are not only available but also free from compromise. Four common use cases:

  • Ransomware recovery – Verify that no attacker artefacts are reintroduced when restoring encrypted systems.
  • APT response – When rebuilding compromised environments, run systems through a “disinfection lane” before moving them into a new, trusted domain.
  • Compliance and audit – Provide verifiable evidence that backups were actively scanned for threats.
  • Preventive scanning – Use idle hours on backup infrastructure to scan daily or weekly backups centrally, avoiding any impact on production endpoints.

Conclusion
By combining Nextron THOR with the Veeam Data Integration API, organizations can scan backups for signs of attacker activity, hidden artifacts, and forensic indicators. This helps ensure that restored data is clean and uncompromised, making the recovery process safer and more reliable.

Very informative post, thanks for sharing! It’s amazing to see how Veeam’s Data Integration API can enhance incident response workflows when combined with tools like THOR.

Very interesting application for threat detection.  Never heard of this until now but will do some research on it.  Thanks for the share.

Excellent initiative!

The combination of Nextron's THOR and Veeam Data Integration API raises the bar for data recovery security. In times where advanced attacks leave subtle and persistent traces, ensuring that backups are truly clean is essential. 

 

Thanks for sharing, we appreciate it.

Have a look at their blog post and their guide to integrate the scanner into the Antivirus Configuration File.

Terms & ConditionsAccessibility statement