Questions Regarding Threat Hunter Scan on VM Backups

[tj818]

Case #08012766

Hi Team,

I am working on configuring SureBackup Jobs that utilize Threat Hunter to scan the Restore Points.

The SureBackup Job under SureBackup's Job History shows a status as "Success"

However, if you click in the details of the Job, there is a warning in regard to other AV being detected on the Mount Host

Code: Select all

[05.03.2026 09:41:57.687]   <132>    Info (3)    [1] Enumeration complete, waiting for enqueued scans to finish...
[05.03.2026 09:41:57.857]    <96>    Info (3)    [1] All file scans complete.
[05.03.2026 09:41:57.857]   <144>    Info (3)    [1] Threat hunter session ended. Scanned: 427873 Infected: 0 Result: UnableToScanFiles
[05.03.2026 09:41:57.876]    <33>    Info (3)    Veeam Threat Hunter might be blocked by an antivirus installed on the mount host, please configure exclusions according to https://www.veeam.com/KB1999. Exit code: 256

I am looking to get AV Exclusions in place, but I had a few questions

1. Should the job be marked as success if there were files that were unable to be scanned per the logs? Can it have a status of Warning or Failure? I asked support, but we could not get confirmation on what might not have been scanned due to other AV being detected and if we didn't look at the details of the Job itself, we would not have known there might have been files not scanned.

2. Do we need to put in all the AV Exclusions for Threat Hunter per the KB or does it need to be just the Threat Hunter entry listed at the beginning of the KB.

Thanks!
Tim

[Egor Yakovlev]

Hi Tim,

Many system files are designed to be protected or restricted, and will still return “access denied” errors regardless of where or how the backup is mounted. And unfortunately, we cannot always determine whether access is denied due to a system lock or because an application like antivirus is preventing our action.
Regarding exclusions, for VTH specifically, the VTH executable folder and a mount folder (C:\VeeamFLR) exclusions are required.

[tj818]

Thanks for the clarification Egor. I will look to add the exclusions. Does the process log which files it could not scan?

Thanks,
Tim

[Egor Yakovlev]

Yes, it should be on the mount host $ProgramData%\Veeam\Backup\FLRSessions\..\Antivirus\Veeam_Threat_Hunter-VolumeN.log

[tj818]

There were 4 files in that log that failed to scan not because of access denied, but because these files are password protected. I didn't think would flag the AV message at the end of the scan. I will remove those files, run a new backup, and see if I get the same error message on the next scan job.

[tj818]

I removed the files, ran a new backup, and then ran a SureBackup job and now we no longer get warnings in regards to AV being detected. I haven't updated AV exclusions yet.

Veeam_Threat_Hunter-Volume1.log
=================================

Code: Select all

[16.03.2026 08:41:32.006]    <40>    Info (3)    [1] Scanned 440000 files.
[16.03.2026 08:41:51.904]   <148>    Info (3)    [1] Enumeration complete, waiting for enqueued scans to finish...
[16.03.2026 08:41:52.065]    <25>    Info (3)    [1] All file scans complete.
[16.03.2026 08:41:52.065]   <163>    Info (3)    [1] Threat hunter session ended. Scanned: 448941 Infected: 0 Result: Ok
[16.03.2026 08:41:52.084]   <105>    Info (3)    No threats detected. Exit code: 1

I updated the support case to see if the password protected files that failed to scan caused the first SureBackup Job to trigger the AV warning.

[tj818]

Ran another test on another VM and this time it had an issue scanning files due to a file open error

Veeam_Threat_Hunter-Volume1.log
=================================

Code: Select all

[16.03.2026 09:30:19.875]   <148>    Info (3)    [1] Unable to scan file (Failed  Failed to scan object: file open error)

...

[16.03.2026 09:35:10.066]    <99>    Info (3)    [1] Enumeration complete, waiting for enqueued scans to finish...
[16.03.2026 09:35:10.789]   <103>    Info (3)    [1] All file scans complete.
[16.03.2026 09:35:10.789]   <103>    Info (3)    [1] Threat hunter session ended. Scanned: 331463 Infected: 0 Result: UnableToScanFiles
[16.03.2026 09:35:10.811]    <47>    Info (3)    Veeam Threat Hunter might be blocked by an antivirus installed on the mount host, please configure exclusions according to https://www.veeam.com/KB1999. Exit code: 256

As a test, I did a file level browse of this VM and navigated the File System of the VM through the C:\VeeamFLR directory and confirmed Defender is causing an issue. When I tried to click on the properties of the File, Defender interfered.

What I would like is if we can get better error handling when a file is unable to scan. AV did not cause an issue with the first VM as the scan failure was due to password protected files. I think the Warning should tell you what the Scan Failure was. The current warning to check AV is good for cases where it fails to scan due to Access Denied/Failed to Open, but not for password protected files.

[tj818]

Just wanted to follow up to see if it would be feasible to update the Warning Messages for a SureBackup Scan Job using Threat Hunter to have the appropriate scan failure(s) if possible. Brought it up with the Support Engineer and was told it has to go through the Forums.

[Egor Yakovlev]

Absolutely valid request. If exit codes can allow us to distinguish between different types of exceptions, that would definitely be a solid improvement to implement.
I’ll discuss this with the teams.
Thanks!

[tj818]

Perfect, thanks Egor!