About file hash search with malware hash
For a NetBackup domain that is not managed by Alta View and with a configured file hash server, NetBackup version 10.5.0.1 or later provides the feature of file hash search with malware hash.
This feature complements the existing malware scanning service and provides the capabilities of identifying malware from backup images. When malware scan reports an infected status, an automated file hash search job navigates through the NetBackup images to identify an IOC (indicator of compromise).
When a malware is found by malware scanning, the file hash value (SHA-256) of the malware is stored in Enterprise Media Manager (EMM) database if no matching record exists in the database.
Every 8 hours, the most recent malware hash values (max 10,000 records) from the database are submitted to the triggered file hash search job request with MALWARE as the search tag. The result of the file hash search job is available in the Activity monitor of NetBackup Web UI. An audit message that contains the file hash search job ID and file hash search request ID is also generated. The message can be found under the Audit Events tab of Security events menu in the Security pane of NetBackup Web UI. Use the FILE_HASH_SEARCH_INTERVAL_SECONDS option to configure the interval between search jobs that are triggered.
Every 24 hours, the records stored in NetBackup database that have not been updated for the past 30 days are removed for maintenance purpose. Use the MALWARE_HASH_RETENTION_DAYS option to configure the number of days when a malware hash is treated as outdated.
See Malware hash configuration parameters.
Note the following:
The file hash search computation is supported for the following types of backup policies:
NAS-Data-Protection
Windows
Standard
The file hash search job may report a matching malware if there is any for the backup images of the above types of backup policies.