About Veeam Threat Hunter Specifications

[Asahi]

Hi Team,

Veeam 12.3 added an element called Veeam Threat Hunter.

This is now available for Scan Backup, Secure Restore, and Sure Backup.
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

I am very interested in this feature.
Therefore, I have a few questions.

#1#
I understand that Veeam Threat Hunter has the ability to perform ature based scans in place of 3rd party software.
How fast does it complete the scan compared to 3rd party software?

#2#
Are there any resources that should be added to the mount server in order to use Veeam Threat Hunter?
For example, should we add CPU or memory, files generated by the scan, or any other factors to consider?

For example, the documentation mentioned CPU utilization, memory, and size of ransomware data retention for inline scans.
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

#3#
I have a question about how Veeam Threat Hunter works.
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

The above document says that Veeam Threat Hunter performs a scan after the backup data is mounted to the mount server.

Am I correct in understanding that polymorphic malware can be detected by performing heuristic analysis on backup data that has been mounted and made read-only?

Kind Regards,
Asahi.

[david.domask]

Hi Asahi,

I'll go through your questions here.

1. How fast does it complete the scan compared to 3rd party software?

3x-6x faster in testing depending on the contents being scanned when testing against Windows Defender.

2. Are there any resources that should be added to the mount server in order to use Veeam Threat Hunter?

No special considerations required here, the improved performance saw very similar CPU/RAM utilization to Defender during testing.

3. Am I correct in understanding that polymorphic malware can be detected by performing heuristic analysis on backup data that has been mounted and made read-only?

I think I understand the thrust of your question, and the simple answer is that Threat Hunter will do a normal scan on the mounted read-only volumes. Detection will depend then on the AV engine definitions (we check for updates on each scan). Consider also our Indicators of Compromise feature which can further help to monitor your workloads for malicious activity and report on it. Between Threat Hunter and the Malware Detection for backups, you will have achieved great visibility and monitoring for malicious activity in your environment.

[Asahi]

Hi David,

Thank you for Info.

#3#

Sorry, I still don't understand exactly what is going on.

> Detection will depend then on the AV engine definitions
> (we check for updates on each scan).

The AV engine is handled by Veeam Threat Hunter, correct?
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

By “AV engine definitions” do you mean malware signatures that are automatically checked?

> Consider also our Indicators of Compromise feature which can further
> help to monitor your workloads for malicious activity and report on it.

Does this mean the “Guest Indexing Data Scan” feature?
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Kind Regards,
Asahi,
Climb Inc.

[david.domask]

Hi Asahi,

You're very welcome, and no need for sorries, double-checking is always best when there is doubt.

> The AV engine is handled by Veeam Threat Hunter, correct?

Yes, you don't need to do anything with the engine or updates, Veeam handles this for you automatically.

> Does this mean the “Guest Indexing Data Scan” feature?

Correct.

[Asahi]

Hi David,

Thank you for reply!

Thank you, I have a better understanding of this feature.

I am now doing a simple test in my lab.
I ran a PowerShell script that encrypts 100 files in a folder on the C drive of a WinSrv2025 to be backed up and replaces them with .wcry extensions.

The “Guest Indexing Data Scan” was very good and showed up as “suspicious files” under Invetory > Malware Detection.

Next, I ran a Scan Backup of this backup data with “Scan restore points with Veeam Threat Hunter” checked.
However, the Scan Backup succeeded without detecting anything.
===
2024/12/20 21:20:18 Succeeded Waiting for backup infrastructure resources availability 0:00:05
2024/12/20 21:20:18 Succeeded Required backup infrastructure resources have been assigned
2024/12/20 21:20:24 Succeeded Scanning for viruses 0:25:39
2024/12/20 21:21:06 Succeeded [Volume{1ef84fe8-c0fd-4ce6-b114-adce2b2b79fa}] Content scan has been completed 0:00:29
2024/12/20 21:21:06 Succeeded [C:] Content scan has been completed 0:24:52
2024/12/20 21:21:36 Succeeded [Volume{1ef84fe8-c0fd-4ce6-b114-adce2b2b79fa}] No threats detected
2024/12/20 21:45:58 Succeeded [C:] No threats detected
2024/12/20 21:46:03 Succeeded Task finished
===

Is this because the PowerShell I created was not determined to be a threat and therefore not detected as a problem in Scan Backup?

Kind Regards,
Asahi,
Climb Inc.

[david.domask]

Hi Asahi,

Glad to share information and glad it helps.

As for your test, I recommend testing with EICAR test files instead. Very likely, the AV Engine realized they were not actually malicious and didn't want to flag false positives. GuestIndexing scan detected it because it matched an entry in theSuspicious Files list; remember, the Guest Indexing Scan and Inline Scan are not a full malware scan, we're looking for evidence that there _likely_ is malware using the information and data blocks we already process during backup. It's an early warning, not an AV scan.

When ThreatHunter checked the same files, it correctly identified they were benign. Test with EICAR and you'll catch it, and Threat Hunter will be doing its work to find real threats.

[Asahi]

Hi David,

Thank you for Info

I was able to test the threat detection by Veeam Threat Hunter by using EICAR!

I specified the following parameters in my Sure Backup Job
・Backup verification and content scan only
・Continue scanning remaining files after the first occurrence

The scanning process resulted in the following
Veeam Threat Hunter : 11min
Windows Defender : 27min

In my personal opinion, I hope that in the future the Veeam Threat Hunter engine will be able to scan Linux OS backup files as well.

Since Veeam's Linux FLR now operates using Linux Helper Host, I hope that Veeam Threat Hunter's engine will be introduced to Linux Helper Host and that it will be able to scan regardless of the backed up OS.

Kind Regards,
Asahi,
Climb Inc.