top of page
  • Writer's pictureBrad Linch

Scan Cloud Workloads for Malware with Veeam

Ransomware attacks continue to evolve, targeting cloud-based workloads and posing significant risks to organizations. These malicious attacks can encrypt critical data, disrupt operations, and demand hefty ransoms for data decryption. Not to mention double extortion and the risk of stealing/selling the victims data. To counter such threats, organizations must prepare robust defense strategies to safeguard their cloud workloads.

Part of that defense strategy not only is backing up those cloud workloads but also choosing a solution that follows a defense-in-depth strategy. Veeam's inline scanning capabilities provide organizations with real-time threat detection, malware protection, compliance adherence, and data loss prevention. By incorporating Veeam into your cloud infrastructure, you can establish a backup security posture and ensure the safety and integrity of your cloud-based workloads. As a result, businesses can operate with confidence, knowing that their critical data and operations are protected against evolving cyber threats.

Veeam has two types of inline scanning:

  • Inline entropy analysis at the block level

  • File system activity analysis indexing at the guest level

Inline entropy analysis looks for files encrypted by malware and anomalies in the data.  For example, if a server in your environment usually has 10% of the data encrypted and changes 50-60 GB a day but all of a sudden we detect that 20-30% of data is encrypted and it is changing 90-100 GB per day that will trigger an alert of suspicious activity on that machine. In addition, you will be alerted if we see machines with ransomware notes, bitcoin addresses or other suspicious content.

File system activity analysis is looking for known suspicious extensions from the XML file on the Veeam server. There are over 4,000 known IoCs (indicators of compromise). In addition, this has the intelligence to look for day zero attacks if we start backing up file extensions that have never been seen on a machine even if they are not in the XML file.

In the rest of the blog, I'll quickly show how-to setup inline scanning for your cloud workloads.

Quick How-To:

First, setup a protection group for cloud machines. Simply enter in the credentials to your AWS or Azure account/subscription and choose the region of the machines to protect.

Make sure you choose cloud machines for your type of protection group as these are special kind of agents.

Select machines individually for the masochists out there or simply insert a tag to catch-all the cloud workloads to protect.

A role with the following permissions needs to be attached to each instance you want to protect in the case of AWS. Veeam automagically can create and assign those roles which makes life a lot easier for organizations with hundreds or thousands of workloads out there.

Lastly, enable both entropy and file system analysis in the global settings as shown above earlier. Once your backup job is created, inline malware scanning will occur by default on all backups. If something suspicious is detected it will show in the properties of the job, inventory menu and/or syslog server if you enabled event forwarding.

And here it is in the properties of the job if you want to get a quick glance of the last restore point Veeam believes to be clean.


As the ransomware threat landscape continues to evolve, organizations must remain vigilant to protect their cloud workloads. Veeam's ransomware inline scanning capabilities offer real-time threat detection, malware signature recognition, behavior analysis, and automatic remediation. By incorporating Veeam into your data protection strategy, you can improve the resilience of your cloud workloads against ransomware attacks, ensure business continuity, and safeguard your critical data assets. Don't wait until it's too late – take proactive measures to defend your cloud environment today.


Cloud workloads are supported for AWS and Azure Windows IaaS workloads. Entropy analysis works for volume-level backup mode. File system analysis can be used for both image and volume-level backup modes.


Recent Posts

See All

Why Veeam


bottom of page