Overview
β Important
VMware tools must be installed and running on the destination virtual machines for scanning files for malicious data. For more information, see Restore virtual machines using sandbox.
Ensure that there are at least 2 CPUs and 4 GB memory with 1. 4 to 1.5 GB free to run the scan. However, it is recommended to have 8 CPUs and 16 GB memory for a faster scan.
We use the ClamAV-1.0.1 version for malicious file scan checks.
After the restore job is complete for the Sandbox virtual machine, you can scan the data for malicious files and pre-defined file hashes with the Malicious File Scan feature. This ensures the restored data is clean and devoid of viruses and malware. You can scan the data irrespective of the restore location.
When Malicious File Scan is enabled, the Malicious File Scan section appears in the Sandbox Recovery > Settings window on the Hybrid Workloads page.
For Sandbox VM file scan, toggle the button to enable the scan from the Sandbox Recovery > Settings page.
Select the Delete Malicious Files checkbox if you want to automatically delete the detected malicious files identified during Malicious File Scan.
π Note
β
βIn case of scan job failure with the Delete Malicious Files setting already selected, some malicious file(s) will get deleted as part of the scan.
For more information about VMware Sandbox Recovery, see Restore virtual machines using sandbox.
β Important
You cannot enable or disable Malicious File Scan for Sandbox VM from the Malicious File Scan > Settings tab on the Ransomware Recovery page.
The virtual machine is scanned after restore completion, hence the overall job time increases. You can view the progress of the scan job from the Jobs page. There is an option to cancel the scan job if you feel itβs taking longer than you expected and restoring the files is urgent.
On the restore Jobs page for a virtual machine, the blue sign is present beside every restore job that has a malicious file scan enabled. To learn more about what each scan status icon displayed on the Sandbox VM signifies, see Scan status for sandbox recovery job.
β Important
Malicious file scan is not supported for files beyond 4 GB in size.
Support matrix for Sandbox Recovery
The following are the supported Windows versions for Sandbox Recovery:
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server 2008R2
π Note
βFor Malicious File Scan support for Windows Server 2008R2, ensure that the prerequisites are met.
The following are the supported Linux versions for Sandbox Recovery:
Red Hat Enterprise Linux (RHEL) 7.0 , 7.1, 7.2, 7.3, 7.4, 7.5
CentOS 7.0 , 7.1, 7.2, 7.3, 7.4, 7.5
Ubuntu 14.04,16.04
SUSE Linux Enterprise Server 12, 12 SP 3
VMware Photon OS Version 4
Monitor Sandbox Recovery scan jobs
You can monitor the status of sandbox recovery scan jobs via alerts and audit trails.
Alerts
After the file scan job is complete, a warning alert is generated and an email is sent to subscribed administrators in case malicious files are encountered during a scan. You can view the alert details from the Alerts page.
Audit Trails
You can filter and view the details of the file scan job activities from the Audit Trails > Filters > Activity Type.
You can view details for the following Malicious File Scan activity types:
Job created: The detailed status of the sandbox recovery scan job created
Job Cancelled: The detailed status of the canceled sandbox recovery scan job
Downloaded job report - The detailed report of the scan job to view details of the scan job
You may encounter the following errors related to anti-virus scan skip for files.
Error | Reason |
WARNING: Can't open file- Permission denied | This error is observed in the following scenarios:
|
Empty file | The file has no data to scan. |
WARNING:- Can't access file | The file size is greater than the set file size limit for the file scan to run. |
Linux specific errors | |
Not supported file type (Observed for linux) | The file type is not supported for anti-virus scan. |
| Access to the file is denied due to a lack of required permissions. |
βββββTo view activity details for a specific administrator, select the administrator and click View Details. The Activity Details page with file scan activity information is displayed.
For more information about VMware Sandbox Recovery, see Restore virtual machines using sandbox.
βΊHere is a quick preview of Sandbox Recovery.