Comprehensive data protection for all workloads
Post Reply
perjonsson1960
Veteran
Posts: 543
Liked: 63 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Malware Detection Settings

Post by perjonsson1960 »

Folks,

Are there any of you out there that have enabled the "Inline entropy analysis"?
Is the impact on the backup times great when the "Normal" setting is used?
Any difference between VMs and physical machines?
We have a physical fileserver cluster with approx. 18 TB data and 10 million files.
An incremental backup of the cluster takes about 90 minutes without that function enabled, and around 200 to 300 GB is backed up.

I wish that this setting was a job setting, and not a global setting for all jobs. Then I could have tried it at a smaller scale...

Kind regards,
PJ
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Malware Detection Settings

Post by Mildur » 1 person likes this post

Hi Per Jonsson

I suggest you run a test on your backup server with a test machine.
I wish that this setting was a job setting, and not a global setting for all jobs. Then I could have tried it at a smaller scale...
You can run it for a single machine. Enable inline scan and exclude all other machines except the machine you want to test:
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best,
Fabian
Product Management Analyst @ Veeam Software
perjonsson1960
Veteran
Posts: 543
Liked: 63 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Malware Detection Settings

Post by perjonsson1960 »

Okay, thanks!

Just now I discovered that the old job setting called "Enable guest file system indexing" has been changed to "Enable guest file system indexing and malware detection". Must that function be enabled in order to get malware detection at all? If so, then I have used malware detection only on the fileserver cluster, because that is the only job that has indexing enabled...
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Malware Detection Settings

Post by Mildur » 1 person likes this post

My understanding was, that your question was about "Inline entropy analysis".
"Inline entropy analysis" doesn't require the guest index. It reads the data blocks of the disk of your machine.

Enabling "guest file indexing" is required for malware detection method "guest index scan":
https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best,
Fabian
Product Management Analyst @ Veeam Software
perjonsson1960
Veteran
Posts: 543
Liked: 63 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Malware Detection Settings

Post by perjonsson1960 »

Yes, it was. It's just that it still is a bit confusing for me, since there are settings at three different places; The main menu, the "Malware Detection" node in the Inventory pane, and now also in the guest indexing job setting. But I will probably get the hang of it in due course. ;-)
perjonsson1960
Veteran
Posts: 543
Liked: 63 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Malware Detection Settings

Post by perjonsson1960 »

One of the "suspicious" file extensions included in the default XML file, is used by a legitimate software that we use. In fact, there are over 3000 files that are regarded as suspicious because of this.
If I exclude that extension, then Malware Detection will ignore that filetype completely, right? So, if a malware using that extension should find its way into our environment, then Malware Detection will not detect it?
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Malware Detection Settings

Post by Mildur »

Yes, the guest file index scanner would ignore this file extension for all machines.

Best,
Fabian
Product Management Analyst @ Veeam Software
perjonsson1960
Veteran
Posts: 543
Liked: 63 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Malware Detection Settings

Post by perjonsson1960 »

Right.
But if I turn on the Inline Scan, then it would probably be detected, or?
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Malware Detection Settings

Post by Mildur »

Inline scan does not scan for specific file extensions. Inline scan detects encrypted files, onion links or ransom notes.

Please check our user guide for the difference of guest index scan ("File system activity analysis") and inline scan ("Inline entropy analysis"): https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Best,
Fabian
Product Management Analyst @ Veeam Software
perjonsson1960
Veteran
Posts: 543
Liked: 63 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Malware Detection Settings

Post by perjonsson1960 »

Okay, I will do some testing to see how much the backup times increase when using Malware Detection in various jobs.
I guess that the best would be to use both Guest Indexing Scan and Inline Scan simultaneously.

Thanks!

Kind regards,
PJ
perjonsson1960
Veteran
Posts: 543
Liked: 63 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Malware Detection Settings

Post by perjonsson1960 »

Is the Malware Detection feature not available in NAS/Fileshare backups?
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Malware Detection Settings

Post by Mildur » 1 person likes this post

No not yet. All supported workload are documented in the user guide:
- Guest Index Scan
- Inline Scan

We have it on the roadmap.
Unfortunately I cannot share an ETA when our Malware Scan feature will be available for NAS backup jobs as well.

Best,
Fabian
Product Management Analyst @ Veeam Software
perjonsson1960
Veteran
Posts: 543
Liked: 63 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Malware Detection Settings

Post by perjonsson1960 »

Okay, thanks!
perjonsson1960
Veteran
Posts: 543
Liked: 63 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Malware Detection Settings

Post by perjonsson1960 » 1 person likes this post

I have tried to enable ”Guest file system indexing and malware detection” for as many VMs as possible, but I got multiple warnings saying "Failed to index guest file system. Veeam Guest Agent is not started".

Is it so that this function only works when Application Aware is used, or alternatively, when another credential than vSphere Admin is used in the backup, for example a local admin account?
perjonsson1960
Veteran
Posts: 543
Liked: 63 times
Joined: Jun 06, 2018 5:41 am
Full Name: Per Jonsson
Location: Sweden
Contact:

Re: Malware Detection Settings

Post by perjonsson1960 »

I never got any reply to the question above.

PJ
david.domask
Veeam Software
Posts: 3037
Liked: 702 times
Joined: Jun 28, 2016 12:12 pm
Contact:

Re: Malware Detection Settings

Post by david.domask »

Hi Per,

Apologies that there was a delay here; based on the error message there, my "first blush" impression is there was either an issue with deploying the indexing agent to the GuestOS being backed up or something interfered with the agent once deployed, but unfortunately hard to tell from just this.

You don't need to have the Application Aware Processing enabled to deploy the Guest Indexing agent; it _could_ be related to credentials, but I would expect that the Test Credentials test fails as well if that were the case.

I would reproduce the issue and open a Support Case with logs for the affected job. The message itself is fairly straightforward, it's just a question of "why did the agent not start?", which logs should give pretty good clues to. (Just a note, Support might also ask for logs from the GuestOS in question (System/Application Event logs if Windows, all of /var/log if Linux).
David Domask | Product Management: Principal Analyst
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Google [Bot] and 18 guests