1. Support
  2. Knowledge base
  3. 100073729

NetBackup Malware Scan functionality: Quick Reference

Article: 100073729
Last Published: 2025-02-25
Ratings: 1 0
Product(s): NetBackup & Alta Data Protection

Description

This article will provide an overview of the important components of Malware scan functionality in NetBackup.

  • NetBackup 10 introduces malware scanning of images for Windows and Standard policies, that are backed up to an IA enabled MDSP pool. 
  • Scanning images is a manual action, unless triggered by anomaly detection (this option requires configuration and is a separate feature). 
  • The feature has many dependencies, and is an orchestration of several NetBackup features including Instant Access/MSDP/API/AV engine.
  • If NetBackup finds malware in a supported backup image, it can find the last known good image that is malware free.
  • This feature is supported for all of the workloads listed below as of NetBackup 10.5.
  1. Unstructured Data workloads
  • Standard
  • MS-Windows
  • NAS-Data-Protection
  • Universal shares
  • Kubernetes
  1. Structured Data workloads
  • VMware
  • Cloud
  • Cloud-Object-Store

For best results, the MSDP EEB Bundle for the respective version of NetBackup should be installed on all of the associated NetBackup servers:

libguestfs

  1. Libguestfs is a set of tools and libraries for accessing and modifying virtual machine (VM) disk images.
  2. It was part of the VRTSpddei.rpm package in the Media Server software installation and required for malware scan of VMware backup images.
  3. From NBU 10.4 onward, VRTSpddei.rpm is no longer installed as part of a fresh installation on a BYO (Bring Your Own) Server Environment
  4. It is required to install libguestfs binaries manually as per the article: VRTSpddei rpm and libguestfs in NetBackup BYO

Scan Host Server:

  1. The Scan host Server does not need to have any NetBackup software installed on it.
  2. Malware Scanner Software needs to be installed on Scan Host Server.
  3. An RSA key will be needed to add the scan host to the credentials section in the NetBackup Web UI.
  4. To retrieve this, run the following command from the media server to the scan host:

ssh-keyscan <<hostname>> 2>/dev/null | grep ssh-rsa | awk '{print $3}' | base64 -d | sha256sum

  1. Pre-Requisite for Linux Scan Host - Prerequisites for Linux scan host
  2. Pre-Requisite for Windows Linux Host - Prerequisites for Windows scan host
  3. Scan host can be configured automatically using one of the following options:
  1. The Scan Host Server can be configured with a non-root or non-administrator user.
  2. By default, three parallel scans are supported per scan host and this limit is configurable as per Configure resource limits for malware detection
  3. A Scan host pool is a group of scan hosts, and configurations must be performed from the NetBackup Web UI before the scan host configuration is complete.
  1. During Malware Scanner software installation on the Scan Host Server, it will ask to provide the path of Malware Scanner installation.
  2. Ensure the scan host engine path is defined in the system path:

Windows example : 

   

Linux example: 

 

Malware Scanner Software:

  1. Malware Scanner SDK binaries need to be installed on the Scan Host Server.
  2. The only supported malware scanners are:
  • Symantec Protection Engine
  • Microsoft Defender Antivirus
  • NetBackup Malware Scanner (Avira)
  1. Scanner Configuration steps are available in the following articles:

 

Instant Access:

  • During Malware Scan, two instant access jobs start. The first job is for mounting, and the second job is for unmounting.
  • Instant Access creates a VPFS (Veritas provisioning file system) image of the backup image present at MSDP disk.
  • The VPFS image is created by leveraging the de-duplicated data blocks stored in the MSDP. This involves mapping the logical structure of the backup image to the physical storage blocks in the MSDP.
  • The VPFS image is then mounted on the scan host server. The mounting process involves creating a virtual disk that represents the VPFS image. This virtual disk is then attached to the server, making the file system accessible.
  • Once the VPFS image is mounted, it is exposed  as a read-write file system. This allows the malware scanner to access the data almost instantaneously.
  • Pre-requisite - MSDP build-your-own (BYO) server prerequisites and hardware requirements to configure Instant Access

 

Dynamic Scan:

  1. NetBackup 10.3 or later provides support for the dynamic scan feature.
  2. Dynamic Scan is supported on Standard, MS-Windows, Cloud-Object-Store and NAS-Data-Protection workloads.
  3. Dynamic scan optimizes instant access and scan performance for MSDP (for large number of files in the backup), and improves the instant access time as well as the scan performance.
  4. Dynamic scan is enabled by default. 
  5. Dynamic scan can be turned off manually by adding the parameter below in the spws configuration file (<storage path>/spws/etc/spws.cfg) on the MSDP server:

[spws] 

EnableDynamicScan=False 

 

Differences between Traditional malware scans and Dynamic scans:

Key scanning procedure Traditional malware scan using Instant Access mount points Dynamic scan
Instant access stage

Analyzes the tar stream, then builds each file's header and extent map file (LMDB database).

This is time consuming when there is a large number of files in the backup.

 Restores TIR (catalog database) and IM (image metadata) information from data fragments.
Instant access share (NFS/SMB) is mounted and user tries to list or access the file. Accesses the file header and reads the attributes from it.

Queries the directory from the catalog database to get all of the files and directories which are under this directory.

It can also query each file and directory attribute to the output.
Scan host opens a file Opens and loads the LMDB database.

Builds the index in memory and reads directly from the data container:

  • To get a file's extent information by locating and reading the tar header and analyze the content.
  • To get the SO list (PureDisk only) by searching the SO list from the fragment FP map.
  • To build the mapping table by inserting the SO list (PureDisk only).
Scan host reads a file Searches from LMDB database and reads from data container.

If the storage server is from a 3rd party storage vendor, it reads the data through the OST interface directly.

If the storage server is PureDisk, it searches from the mapping table and reads data from the data container.

 

Mirror Servers:

  1. NetBackup Malware Scanner (Avira) mirror server must be configured for signature updates only when the scan host server does not have internet access.
  2. For NetBackup Malware Scanner, updates happen over HTTPS (https://oem.avira-update.com/update). Please provide access to this URL from the Mirror Server.
  3. The Mirror Server requires web server software (nginx, Apache etc.) installed and configured on it.

Example steps using nginx :-

a. Install nginx:  yum install nginx

b. Edit /etc/nginx/nginx.conf

c. Add the following to the server block 

location /home/update-path {
    autoindex on;
    root /;
}

Note: Here /home/update-path is being used as an example path to store Avira VDFs.

  • This is the same path as the installation directory.
  • This path can be modified as per requirement (/home/update-path is only an example)

d. Reload nginx

nginx -s reload
systemctl status nginx

  1. Enter the following in the browser to test the URL

http://{{MIRROR_SERVER_HOST}}/home/update-path

  1. Verify whether the path and the present files are accessed via the URL.
  2. If yes, execute the steps from: https://www.veritas.com/content/support/en_US/doc/21733320-165970098-0/v160413170-165970098

 

File Hashes:

  1. This feature is available from NetBackup 10.5 and higher versions only.
  2. Only Standard, MS-Windows and DNAS policies are supported to generate file hashes.
  3. The Accelerator option must be enabled in order to generate file hashes. 
  4. This option allows users to search files by a file’s hash.
  • The file’s hash is calculated based on the file’s content using the SHA256 algorithm.
  • The file’s hash is calculated at backup stage.
  • When backup job is finished, the file’s hash is stored in NetBackup catalog on the Primary Server then moved to search server(File hash server). 
  1. One use case is to find malware files in the backup images.
  • There are 3rd party authorities that periodically publish file hashes of known malware files. 
  1. Enable File Hash functionality by selecting the calculate file hash check box in the policy attributes under the Use Accelerator option:

 

  1. This feature may affect the backup performance depending on the client configuration such as CPU and memory.
  • If the CPU has SHA extensions, the hash calculation is faster than the CPU without SHA extensions.
  1. The NetBackup catalog is expected to increase by 20% or more.
  2. You can configure to delete the file hash information automatically from the NetBackup catalog after it is copied to the file hash server by adding the line AUTO_CLEAN_FILE_HASH_FROM_CATALOG = 1 in the bp.conf file on the primary server.
  3. To list all the backups that have file hash enabled, run the following command

Windows:<install_path>\veritas\netbackup\bin\admincmd\bpcatlist -file-hash-present
Linux: /usr/openv/netbackup/bin/admincmd/bpcatlist -file-hash-present

Process Flow of how File Hash works:

  File Hash Server (also known as Search Server):

  1. The File Hash Server is designed to receive file hash information from a Primary Server on a periodic basis.
  2. The file hash information of backup images gets transferred from the Primary Server to the File Hash Server
  3. The File Hash server must be on a Red Hat Enterprise Linux media server, but it cannot be on a MSDP storage server.
  • This means that the search server and MSDP storage server cannot be on the same media server.
  • The search server also cannot be configured on a NetBackup Primary Server.
  1. A NetBackup domain can only have one search server.
  2. On the search servers, nginx must be installed and configured before installing the NetBackup media server software.
  3. Use the fhdb_config.sh script to configure a file hash search server. It takes one parameter which is the storage location (/search in this example) for file hash search files. The command below needs to be run on the File Hash Server:

#/usr/openv/pdde/pdcr/bin/fhdb_config.sh --hash-storage-path=/search

  1. After the file hash search server is configured, run the command shown below on the Primary Server so that the Primary Server knows which media server is acting as the File Hash server:

#/usr/openv/netbackup/bin/goodies/nbfhsmgr -config <File_Hash_Server>

  1. On the Primary Server the /usr/openv/netbackup/bp.conf will display a new entry for the FILE_HASH_SERVER after the above configuration is complete.
  2. The primary server will now periodically send the file hash information to the search server.
  • This time interval can be configured in /usr/openv/netbackup/bp.conf file on the primary server. 
  • The value of this parameter represents the amount of time in seconds for the interval that a primary server sends the file hashes to the search server.
  • This configuration parameter is:

FILE_HASH_BID_BATCH_INTERVAL = 86400

  1. File Hash Server Configuration is explained here: Configuring the file hash server

 

Searching for files using the file hash:

  1. On the Search tab of the Catalog window, click the Action drop-down list and select “File hash search” from the list:

 

  1. In the File hash search window, input the list of file hashes into the search box at the bottom of the screen.
  • One hash occupies one line.
  • Each hash must be 64 characters.

Validating the scan host pool configuration

  1. On the left, click Detection and reporting > Malware detection.
  2. On the Malware detection page, click Malware detection settings on the top-right corner.
  3. After adding a new scan host or an existing scan host, on the Manage malware scanner hosts page, select the desired scan host and click Validate configuration from the action menu..
  4. On the Validate configuration page, enter the details to search and select an image to validate the configuration.

    Note: Validating the configuration is only supported for Standard policy backup images.

  5. Select the backups to scan and click on Validate configuration.
  • It is recommended to use backup images with a smaller number of files.
  • For larger backups, IA creation may be delayed and the test scan might fail.
  1. After successful validation, click Finish.
  2. The Malware scanner host pools page will be displayed with the list of added scanner hosts.

 

Malware scanning for OST and AdvancedDisk

Support is available for malware scan for unstructured data only:

  • Standard
  • Windows
  • DNAS backup policies with OST (DataDomain)
  • Advanced Disk storage

Other workloads e.g. VMware etc are not supported.

 

Important Tuning and Configuration Parameters

More information about the following commands can be found in the Administrator's Guide or Security and Encryption Guide for the installed version of NetBackup:

MALWARE_SCAN_OPERATION_TIMEOUT 

  1. This parameter is used to configure the duration of the scan operation that is allowed to run before a timeout occurs.
  2. By default, the scan operation timeout value is 2880 minutes (2 days) and it is configurable:
  • The minimum supported value is 60 minutes (1 hour) and
  • The maximum supported value is 43200 minutes (30 days).
  1. This parameter is only applicable on the media server.
  2. Example - MALWARE_SCAN_OPERATION_TIMEOUT = 2880
  3. Use nbgetconfig or nbsetconfig commands to view, add, or change the value of the timeout.

MALWARE_DETECTION_TIMEOUT_PERIOD

  1. This parameter is used to configure the duration of the scan operation that is allowed to run before timeout happens.
  2. By default scan operation timeout value is 48 hours (2 days). 
  3. This parameter is only applicable on the Primary Server 
  4. Example - MALWARE_DETECTION_TIMEOUT_PERIOD = 48
  5. Use nbgetconfig or nbsetconfig commands to view, add, or change the value of the timeout.

MALWARE_DETECTION_CLEANUP_PERIOD 

  1. Malware detection performs automated cleanup of scan jobs which are older than 30 days in batches
  2. Cleanup runs every 24 hours after NetBackup has started.
  3. The value for this setting is in the number of days.
  • Although any integer value greater then 0 is accepted, it is recommended not to set a value of more than 6 months (180 days).
  • If an invalid value is configured, then the default value of 30 days is used.
  1. To switch off the cleanup period altogether use a value of 0.
  2. Example - MALWARE_DETECTION_CLEANUP_PERIOD = 30
  3. Modify the configuration parameters in the bp.conf file on the primary server.

MALWARE_DETECTION_CLEANUP_BATCH_SIZE 

  1. It controls the automatic cleanup batch job size.
  2. The default value is 500.
  3. You can set any value between 1 to 5000 for the batch size.
  4. Example - MALWARE_DETECTION_CLEANUP_BATCH_SIZE = 600
  5. Set the parameter in the bp.conf file.

FAIL_SAFE_SCAN_RETRY_COUNT 

  1. This parameter is used by the primary server to attempt the scan job on a different scan host from the same scan host pool.
  2. The following are the permissible values for the FAIL_SAFE_SCAN_RETRY_COUNT parameter:

Value Description
0      Disabled
1      Default retry count (By default, the fail safe scan would be triggered once and the maximum configurable value in bp.conf is 3)

    Instant Access tuning parameters for malware scanning 

    1. Perform the following to update the Linux kernel on the Storage Server.
    2. Add the following parameter with the value to the /etc/sysctl.conf file:

    vm.max_map_count=262144

    1. After adding or changing the value, reload the configuration file using the command:

    #sysctl -p

    Resource limit for Malware Detection 

    1. This parameter defines how many parallel malware scans per scan host can run simultaneously.
    2. It can be configured from the Web UI only (see the Web UI Administrator's Guide for more information).
    3. Configuration instructions see: Configure resource limits for malware detection

     

    Viewing scan result failures:

    • When viewing a scan result failure on the Web UI, hover over the failed entry to reveal more details of the error:

    image2022-5-4_12-59-15.png

     

    Useful commands:

    1. Once NetBackup has scanned an image and identified and recorded malware in that image, it is possible to restore only the clean files and skip the infected files using the bpcleanrestore command. The bpcleanrestore command identifies the Malware infected backup images in a given date range, skips the infected files and restores the clean data. 

    This command is especially important during recovery from a malware attack, since the Java and/or WebUI UI may not yet be functional.

    Examples:

    Windows: <install_path>\veritas\netbackup\bin\goodies\bpcleanrestore -restorecleandata -C myclient -S mymaster -t 0 -p myclientpolicy -st 01/01/2024 -et 01/10/2024

    Linux: /usr/openv/netbackup/bin/goodies/bpcleanrestore -restorecleandata -C myclient -S mymaster -t 0 -p myclientpolicy -st 01/01/2024 -et 01/10/2024

     

    2. Once the vpfs_share image is created on the storage server, you can use the mount command with verbose settings to troubleshoot the mount issues.

    You can identify the share name from the virt-access.log and run the mount command on the Scan Host Server.

    Example:

    # sudo mount -vvv -t nfs -o ro,soft,timeo=600 <storage_server>:/mnt/vpfs_shares/36_1/36_1673545045 /tmp/malware-test
    mount.nfs: timeout set for Fri Jan 13 10:28:23 2023
    mount.nfs: trying text-based options 'soft,timeo=600,vers=4.2,addr=2600:::::13,clientaddr=2600:::::::b95f'
    mount.nfs: mount(2): No such file or directory
    mount.nfs: trying text-based options 'soft,timeo=600,addr=2600:::::13'
    mount.nfs: prog 100003, trying vers=3, prot=6
    mount.nfs: trying 2600:80b:210:112::13 prog 100003 vers 3 prot TCP port 2049
    mount.nfs: prog 100005, trying vers=3, prot=17
    mount.nfs: trying 2600:80b:210:112::13 prog 100005 vers 3 prot UDP port 20048
    mount.nfs: mount(2): Permission denied
    mount.nfs: access denied by server while mounting <storage_server>:/mnt/vpfs_shares/36_1/36_1673545045

     

    3. Display the NFS server mount by running the showmount command on the Scan Host Server:

    #showmount -e <storage_server>

    4. Verify connectivity on the ports below from the Scan Host Server to the Storage Server using curl commands:

    #curl -vvv telnet://<MSDP_Storage_Server>:2049
    #curl -vvv telnet://<MSDP_Storage_Server>:20048
    #curl -vvv telnet://<MSDP_Storage_Server>:111
    #curl -vvv telnet://<MSDP_Storage_Server>:867
     

    For additional information see: The Smart Use of Malware Scanning in NetBackup

    Also review the Related articles section below for a list of known issues with resolutions.

    Was this content helpful?

    Article Languages