Veeam Threat Hunter vs. OS Antivirus Engine

[cgsm]

Hello,
Just upgrade to 12.3 and saw the new Veeam Threat Hunter service. It looks like this is a replacement for using another installed antivirus software (i.e.: MS Defender) and that you cannot configure this per job, only globally.

Is it possible to configure the detection engine on a per-job basis? I would like to create SureBackup jobs that use both engines (not both engines in same job, but two different jobs both using either engine). This way I can (1) compare the engine performance and detection, and (2) have multiple detection engines for possibly better results.

[Gostev]

Hi, unfortunately it's not possible. As far as engine performance, I remember seeing some numbers from early 12.3 adopters already, and they reported a few times faster performance with Veeam Threat Hunter (just like the What's New document promises). If you're interested to look for this feedback, it could only have been here or in Veeam subreddit, as I don't read anything else

[cgsm]

@Gostev I understand Threat Hunter is faster, but is it better at detecting threats versus another tool (i.e.: MS Defender)? That is the question.

My thought was to create two SureBackup jobs, identical except for detection engine, and run each job once a week on different days to provide a "belt and suspenders" approach to scanning backups for infections.

[Gostev]

Sure, the whole idea was to give our customers something much faster (by integrating directly into our processing engine) AND better at detection modern threats (like polymorphic malware) than a free antivirus built into this OS, otherwise what's the point of this whole exercise. Especially since it costs us a ton of money to OEM the underlying technology.

[cgsm]

@Gostev Yes, I understand your point of "Veeam can do better [than other antivirus]", but I also see this feature as "Veeam wants to do everything", so pardon my non-agreement that just because Veeam says Threat Hunter is better, that it is actually better! This is why I wanted to test Threat Hunter and MS Defender side-by-side.

Anyway, I created jobs with Threat Hunter and in the job log table I see "Antivirus: Disabled" for each of the processed VMs and I see nothing in the per-job or per-VM logs that Threat Hunter ran. Is this expected? It does not look like Threat Hunter is actually running. If I perform an Instant Recovery and choose Threat Hunter, I see "performing antivirus scan". Per previous runs of SureBackup, it looks like the "scanning for viruses" step should be the first step in the process, but it doesn't look like it is with Threat Hunter. File a case?

[Gostev]

It's the opposite: we very specifically do NOT want to "do everything", which is why we OEM the market-leading tech instead of getting into the antivirus engine business ourselves the special sauce is that we integrate this directly into our processing engine, which makes scans so much faster (which was the primarily goal really as if you can't use scans at scale because of their performance, then the thoroughness of AV engine does not really matter).

I don't know if it deserves a support case, may be just look carefully at your settings, seems the scan is purposely disabled (or not enabled).