Malware Detection Settings

[perjonsson1960]

Folks,

Are there any of you out there that have enabled the "Inline entropy analysis"?
Is the impact on the backup times great when the "Normal" setting is used?
Any difference between VMs and physical machines?
We have a physical fileserver cluster with approx. 18 TB data and 10 million files.
An incremental backup of the cluster takes about 90 minutes without that function enabled, and around 200 to 300 GB is backed up.

I wish that this setting was a job setting, and not a global setting for all jobs. Then I could have tried it at a smaller scale...

Kind regards,
PJ

[Mildur]

Hi Per Jonsson

I suggest you run a test on your backup server with a test machine.

I wish that this setting was a job setting, and not a global setting for all jobs. Then I could have tried it at a smaller scale...

You can run it for a single machine. Enable inline scan and exclude all other machines except the machine you want to test:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best,
Fabian

[perjonsson1960]

Okay, thanks!

Just now I discovered that the old job setting called "Enable guest file system indexing" has been changed to "Enable guest file system indexing and malware detection". Must that function be enabled in order to get malware detection at all? If so, then I have used malware detection only on the fileserver cluster, because that is the only job that has indexing enabled...

[Mildur]

My understanding was, that your question was about "Inline entropy analysis".
"Inline entropy analysis" doesn't require the guest index. It reads the data blocks of the disk of your machine.

Enabling "guest file indexing" is required for malware detection method "guest index scan":
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best,
Fabian

[perjonsson1960]

Yes, it was. It's just that it still is a bit confusing for me, since there are settings at three different places; The main menu, the "Malware Detection" node in the Inventory pane, and now also in the guest indexing job setting. But I will probably get the hang of it in due course.

[perjonsson1960]

One of the "suspicious" file extensions included in the default XML file, is used by a legitimate software that we use. In fact, there are over 3000 files that are regarded as suspicious because of this.
If I exclude that extension, then Malware Detection will ignore that filetype completely, right? So, if a malware using that extension should find its way into our environment, then Malware Detection will not detect it?

[Mildur]

Yes, the guest file index scanner would ignore this file extension for all machines.

Best,
Fabian

[perjonsson1960]

Right.
But if I turn on the Inline Scan, then it would probably be detected, or?

[Mildur]

Inline scan does not scan for specific file extensions. Inline scan detects encrypted files, onion links or ransom notes.

Please check our user guide for the difference of guest index scan ("File system activity analysis") and inline scan ("Inline entropy analysis"): https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best,
Fabian

[perjonsson1960]

Okay, I will do some testing to see how much the backup times increase when using Malware Detection in various jobs.
I guess that the best would be to use both Guest Indexing Scan and Inline Scan simultaneously.

Thanks!

Kind regards,
PJ

[perjonsson1960]

Is the Malware Detection feature not available in NAS/Fileshare backups?

[Mildur]

No not yet. All supported workload are documented in the user guide:
- Guest Index Scan
- Inline Scan

We have it on the roadmap.
Unfortunately I cannot share an ETA when our Malware Scan feature will be available for NAS backup jobs as well.

Best,
Fabian

[perjonsson1960]

Okay, thanks!

[perjonsson1960]

I have tried to enable ”Guest file system indexing and malware detection” for as many VMs as possible, but I got multiple warnings saying "Failed to index guest file system. Veeam Guest Agent is not started".

Is it so that this function only works when Application Aware is used, or alternatively, when another credential than vSphere Admin is used in the backup, for example a local admin account?

[perjonsson1960]

I never got any reply to the question above.

PJ

[david.domask]

Hi Per,

Apologies that there was a delay here; based on the error message there, my "first blush" impression is there was either an issue with deploying the indexing agent to the GuestOS being backed up or something interfered with the agent once deployed, but unfortunately hard to tell from just this.

You don't need to have the Application Aware Processing enabled to deploy the Guest Indexing agent; it _could_ be related to credentials, but I would expect that the Test Credentials test fails as well if that were the case.

I would reproduce the issue and open a Support Case with logs for the affected job. The message itself is fairly straightforward, it's just a question of "why did the agent not start?", which logs should give pretty good clues to. (Just a note, Support might also ask for logs from the GuestOS in question (System/Application Event logs if Windows, all of /var/log if Linux).