Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section IV. Malware scanning
  4. Scan host configurations
  5. Limitations and considerations for scan host using NFS share
NetBackup™ Security and Encryption Guide

Limitations and considerations for scan host using NFS share

Limitations specific to a Windows scan host using NFS share

Following is a limitation for Windows operating system and NetBackup Malware Scanner (Avira) version 2.3:

A Windows scan host with Windows Defender malware tool, file paths having non-English characters will not get scanned. These are skipped during a scan. Thus, the number of files scanned reported on Web UI could be less than the total files in that image.

If the malware scan encountered files could not be scanned for any reason, then the following message is displayed:

Malware scan encountered <number of files> files which could not be scanned.

A report of files that were skipped can be obtained by clicking on Actions > Export unscannable files list.

Considerations specific to a Windows scan host using NFS share
  • The built-in administrator account can be used as the scan user and would be able to scan all types of images. This account would be disabled on production servers for security consideration.

    Hence a non-administrator local user (for example, name: scan-user) must be created and added to the Administrators group. To enhance the security, map the account identity to secure the interactions with NFS shares. Active Directory integration is not required when using the local passwd and group files located at the following location:

    C:\windows\system32\drivers\etc\passwd
    C:\windows\system32\drivers\etc\group
  • When scanning images of Standard and MS-Windows policy type, the local scan-user account must have UserIdentifier (UID) permissions set to non-zero value.

    For example, UID 1001 is added to the passwd and group file:

    passwd file: scan-user:x:1001:1001:Description:C:\Users\scan-user

    group file: scangroup:x:1001:1001

  • When scanning images of VMware and cloud workloads, the scan-user account must have UserIdentifier (UID) permissions set to 0 value. Modify the passwd and group files as follows:

    passwd file: scan-user:x:0:0:Description:C:\Users\scan-user

    group file: scangroup:x:0:0

  • As the permissions differ for the scan-user account (depending on the type of image to be scanned), it is required to have 2 separate Windows scan hosts for provisioning, each with a unique local account and UID permissions.

    Prior to initiating an on-demand scan, select specific scanhost pool which has the desired scan host. To avoid provisioning two separate Windows scan hosts, use a non-admin user account (nfsnobody), then set the UID mapping to 0 value.

Feedback

Was this page helpful?
Previous

Prerequisites for Linux scan host

Next

Configuring scan host

Feedback

Was this page helpful?