About malware scanning
NetBackup finds malware in supported backup images and finds the last good-known image that is malware free. This feature is supported for Standard, MS-Windows, NAS-Data-Protection, Cloud, Cloud-Object-Store, Universal shares, Kubernetes, VMware and Nutanix AHV workload.
NetBackup can scan images that are stored on MSDP, MSDP cloud, AdvancedDisk or OST by using one of the the following Search by options:
Backup images
This option is used for scanning policy of client backup images for malware.
Assets by policy type
NetBackup supports MS-Windows, Cloud-Object-Store, NAS-Data-Protection and Standard policy types for malware scan. The following section describes the procedure for scanning NAS-Data-Protection backup images for malware.
NAS-Data-Protection
Each NAS volume or share is read over NFS or SMB, and backed up using a configured number of backup streams. The maximum number of streams per volume determines the number of backup streams that are created to back up each volume. For example, consider a policy that contains 10 volumes and the maximum number of streams is 4. The backup of the policy creates 4 backup streams for each volume, with a total of 40 child backup streams and 10 parent backup streams.
Note:
The number of scans depends on the number of batches that were created to perform the scan. Only the parent stream backup image is visible on the UI.
For more information on multi stream backups, refer to NetBackup NAS Administrator's Guide.
Assets by workload type
This option of malware scanning is used for scanning VMware, Universal shares, Kubernetes, Cloud VM and Nutanix AHV assets for malware.
Note:
NetBackup supports VMware assets for malware scan of backup images only with MSDP.
Ensure that the following prerequisites are met:
The backups were performed with a storage server at NetBackup 10.1 or later.
Backup images are stored on MSDP storage only with instant access capability, for the supported policy type only.
The last backup must be successful.
You must have an RBAC role with permissions to perform malware scans.
Note:
According to selection criterion, scan gets initiated to maximum of 100 images.
Malware scanning provides the following benefits:
You can select one or more backup images of the supported policy-types for an on-demand scan. You can use a predefined list of scan hosts.
If malware is detected during the scanning, a notification is generated in the Web UI.
If a file hash server is configured to a NetBackup domain that is not managed by Alta View, an automatic file hash search job of the malware hash is triggered periodically (interval configurable) to entire image catalog after a malware is detected.
For more information on file hash search, refer to the "About the file hash search in NetBackup" section in the NetBackup Web UI Administrator's Guide.
In case files are skipped due to not being accessible to scanner or failure from malware scanner, then following respective notifications are generated with information about number and list of skipped files:
Critical severity: In case malware is found in the backup image and some of the files were skipped during scan.
Warning severity: In case no malware found in the backup image but some of the files were skipped during scan.
This information can be obtained by clicking on .
Note:
The malware scan job in Activity monitor takes few minutes to reflect the final state of the scan operation running for multiple backup images.
For example, if scan operation runs for 5 backup images in a single request, then the malware scan job in Activity monitor would take 5 minutes to reflect the final state which is after completing the last (fifth) backup image scan job.
Note:
During recovery if user starts recovery from a malware-affected backup image, a warning message is shown and confirmation is required for proceeding with recovery. Only users with permission to restore from malware-affected images can proceed with recovery.
For more information on best practices for malware scanning, refer to Smart use of Malware Scanning in NetBackup.
User can trigger malware scan of the selected files/folders for recovery as part of recovery flow from Web UI and decide the recovery actions based on malware scan results.
Catalog entry for the backup image is not updated after recovery time scan as only subset of files are scanned in the backup. Notification would be generated if malware is found as part of recovery time scan.
During recovery time scan all the images in the start and end date are scanned for malware. Malware scanning of backup image may take long time depending on the number of files selected for recovery. It is recommended to set the Start /End date to include only images which are intended to be used for recovery.
User can trigger multiple recovery time scan for same backup image.
Malware scan as part of recovery may take minimum 15-20 minutes for small size backup based on availability of scan host and number of scan jobs in progress. User can track the progress using . Scan results would be displayed incrementally in the malware detection page. List of backup images in start and end date would be picked up for malware scan incrementally in batches.
Supported policy types for recovery time scan: Standard, MS-Windows, Cloud-Object-Store, Universal Share, and NAS-Data-Protection.
Note:
For successful recovery time malware scan operation, the media server version must be 10.4 or later.