Feature Request - Split Indexing and Malware Detection

[crackocain]

Hi

We want to use malware detection for all virtual machine but indexing is not necessary. For as i know right now it's mutual. Is there any plan to split or how we use like this right now.

[david.domask]

Hi Mehmet,

Thank you for the request -- just to confirm, you're talking about the Guest Indexing Scan? You'd like this separated from the Guest Indexing?/

If you're discussing just the inline scan, please see how to enable it here: https://helpcenter.veeam.com/docs/backu ... ml?ver=120 It's a separate detection method, and can be run without indexing enabled.

Can you clarify if this meets your needs? Similarly, what's the main concern with using indexing?

[crackocain]

Hello David

File Detection works only indexing enabled. Some attacks can only be detected this way. We had an incident last week where Veeam was able to detect the malware after we turned on this feature. Another problem is that the indexing feature does not automatically include the Windows and Program Files folders. Because indexing is to find the searched file quickly. However, viruses target these folders. There is a contradiction here too.

[david.domask]

Hi Mehmet,

Thanks for the response -- indeed, it's important to clarify which malware detection feature you're discussion, as inline scan works independently of the Guest Indexing scan and they have different purposes.

Indexing scan works by using the guest index to scan for known malicious file types as well as several other indicators of compromise. The Indicators of Compromise feature (v12.3 and newer) has additional checks. Both of these require the Guest Indexing to be enabled. While you are correct that the indexing does not scan some common windows directories by default, based on how it works (looking for specific file extensions and other indicators of compromise), this is expected as it's not performing an AV scan on these directories, it's looking for specific artifacts (read: extensions, evidence of compromise like specific files/folders, etc) that would indicate there is/was a compromise. So while I do understand your point, Malware Detection is best combined with regular AV scans (either through Veeam with Veeam Threat Hunter (or any supported AV), or a normal AV scan on the OS itself)

So I would ask again if you can elaborate on why separating Guest Indexing is preferable here -- I'm just not quite sure I understand the benefit.

[crackocain]

"When the backup job with guest file system indexing enabled is complete and indexing data is saved in the VBRCatalog folder on the backup server."
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Indexing data will grow a lot. Normally, the need for indexing data is only for finding the file that is being searched. In this case, there is actually no situation to be found later. Therefore, there is no need to keep this data on the VBR server and inflate it.

As I mentioned before, these scans need to be done in all directories. Indexing excludes default folders. This is again a situation that can be solved manually. Not really a problem.

[Gostev]

Starting from 12.3 indexing data stored on backup server shouldn't grow a lot and "inflate the VBR server" as it's default retention was reduced to a low number of days sufficient for reliable malware detection.

[crackocain]

Great news Anton!

[mkaec]

Is indexing still using the glacially slow enumeration algorithm?