Malware found during VM replication

[TimoW]

Dear all,

at a customer we're doing replication from a productive vSphere cluster to a standalone ESXi host located in a different location.
The replication traffic goes through a next generation firewall which is doing deep packet inspection and scans the whole traffic in realtime against known malware.
On two VMs the firewall was blocking the replication due to found malware. This also results in failed replication of those two VMs of course.
The AV scanners on those VMs didn't find any malicous malware.
My Question is: are the blocks (which are transfered via replication to destination host) transfered in their "raw format" or is VBR 9.5.3 doing some compression/encryption?
In case of encrypted data I would assume that the caught malware is a false positive. But if it's raw data I'll need to dig deeper to the VMs.

Thanks a lot!
Timo

[Andreas Neufert]

Usually we apply compression and deduplication before we transport the data to the other side.
Transport Encryption can be optionally enabled in the traffic rules or will be automatically applied when you use Public IPs at the Veeam Servers.

I would contact the AV vendor and let them analyse logs.
You can as well backup with Veeam the VM and use our Antivirus restore to scan the VM in offline state (no malware can hide themself then).

[TimoW]

Hi Andreas,
thank you for clarification. In this case I would really assume that this was a false positive.
But the Antivirus restore feature sounds really interesting. Could you please tell me more about it? Is it part of Update 4? Which engines are integrated?

[Andreas Neufert]

Hi Timo,

you can find additional informations here:
https://www.veeam.com/blog/datalabs-sec ... rview.html