All Products
Search
Document Center

Cloud Backup:Virus Detection for Backup Points

Last Updated:Jun 22, 2026

To avoid contaminating your production environment by restoring virus-infected data, Cloud Backup provides the Backup Point Virus Detection feature.

Overview

Cloud Backup regularly backs up data from your production environment. If your production data becomes infected, the corresponding backup data also carries the virus. Restoring infected files causes secondary contamination, delays disaster recovery, and increases business losses. Cloud Backup offers Virus Detection for Backup Points to help you select clean, safe backup points for data restoration. With this feature, you can:

  • Enable automatic detection based on backup policies: When setting a backup policy, turn on the Backup Point Virus Detection feature. Cloud Backup automatically scans backup data for viruses after each scheduled backup. This lets you assess the risk level of files in every backup point and efficiently choose safe files during recovery.

  • Perform on-demand manual detection: Based on your specific needs, select a particular backup point from backup history for virus scanning, create a virus detection task on the Virus Detection page, or enable virus detection during file restoration.

If Cloud Backup detects virus-infected files in a backup point, it marks that backup point as risky. When browsing backup points, you can view detailed risk information for individual files.

Supported scope and limits

  • The Backup Point Virus Detection feature supports the following data sources: ECS File Backup (new), Local File Backup (new), OSS Backup, Alibaba Cloud NAS Backup, and On-premises NAS Backup.

  • The Backup Point Virus Detection feature can only scan individual backup files up to 100 MB in size. Files larger than 100 MB are skipped. You can download the “List of Undetectable Files” to view details about these files.

  • Supported regions: See Features Supported by Region.

Supported Virus Types

Cloud Backup Backup Point Virus Detection supports detection of the following virus types (virus_type).

virus_type

Virus Name

Backdoor

Reverse shell backdoor

DDoS

DDoS Trojan

Downloader

Downloader Trojan

Engtest

Engine test program

Hacktool

Hacking tool

Trojan

High-risk program

Malbaseware

Compromised base software

MalScript

Malicious script

Malware

Malicious program

Miner

Mining program

Proxytool

Proxy tool

RansomWare

Ransomware

RiskWare

Risk software

Rootkit

Rootkit

Stealer

Data-stealing tool

Scanner

Scanner

Suspicious

Suspicious program

Virus

Infectious virus

WebShell

Web shell

Worm

Worm

AdWare

Advertising Program

Patcher

Cracking program

Gametool

Private server tool

Important Notes

  • Backup points in the archive tier of a backup vault do not support Backup Point Virus Detection.

  • In replication scenarios, backup points in the replication target vault do not support automatic detection based on backup policies, but they do support on-demand manual detection. If files in a backup point were scanned at the source, the detection results appear on the same backup point and files at the target, so you do not need to rescan them. For more information about on-demand virus detection, see On-demand Manual Detection of Backup Data.

  • After enabling Backup Point Virus Detection in a backup policy, Cloud Backup performs a full virus scan on the first backup point and incremental scans on subsequent backup points.

  • You cannot cancel a virus detection task once it starts.

How it works

Virus detection is built into the backup service. No additional services or clients are required to scan backup data.

Automatic Detection Based on Backup Policies

After enabling Backup Point Virus Detection in a backup policy, the backup service automatically scans each backup point for viruses after every scheduled backup. Scan duration depends on the number of files scanned.

  • Virus detection follows this logic:

    • First scan: Performs a full virus scan on the first backup point in the backup chain.

    • Subsequent scans: Compares against the previous backup point and performs an incremental virus scan only on new or changed files.

  • Example:

    • Backup Point 1: Scans 10000 files (full scan).

    • Backup Point 2: Scans only the 2000 new files and 1000 changed files from Backup Point 1 (3000 incremental files total).

    • Backup Point 3: Scans only the 2000 changed files from Backup Point 2 (incremental scan).

On-demand Manual Detection

  • On-demand manual detection methods include the following:

    • In the Backup History, select a backup point to manually scan for viruses.

    • In the Backup History, select a backup point to create a restore job and enable the Virus Detection During Restoration feature.

    • On the Restore Jobs page, select a backup point from a backup vault or replication target vault to create a restore job and enable the Virus Detection During Restoration feature.

    • On the Virus Detection page, select a backup point from a backup vault or replication target vault to manually scan for viruses.

    • On the Virus Detection page, if a backup point in a backup vault or replication target vault is infected, use Find Secure Version for Restoration to scan other backup points and restore a clean version.

  • On-demand manual detection features:

    • Each backup point is scanned independently. Results are not inherited from other backup points in the same chain, so the same file might be scanned multiple times across different backup points.

    • If you scan the same backup point multiple times, each file is scanned only once, and results are automatically merged.

  • Example:

    • For Backup Point 1:

      • /A directory contains 10000 files; /A/B subdirectory contains 4000 files.

      • First scan targets only /A/B directory: 4000 files scanned.

      • Second scan targets /A directory: skips already scanned /A/B files and scans the remaining 6000 files.

    • For Backup Point 2: A full on-demand scan checks all 12000 files (9000 + 1000 + 2000).

    • For Backup Point 3: A full on-demand scan checks all 3000 files (1000 + 2000).

Access Methods

The following examples use ECS file operations to show how to access the Backup Point Virus Detection feature.

Automatic Detection Based on Backup Policies

When setting a backup policy, enable the Backup Point Virus Detection feature to automatically scan backup data for viruses after each backup.

For instructions on creating a backup policy, see Policy Center.

On the Create Policy page, in the Data Security section under Backup Data Management on the right, turn on the Virus Detection for Backup Points switch.

On-demand Manual Detection

  • In the Backup History, select a backup point to manually scan for viruses.

    Click Virus Detection and choose to scan Include All Files, Include Files, or Exclude Files. These options are mutually exclusive—only one can be active at a time.

    Virus detection is a billable feature. Charges are based on the number of files scanned. See pricing details.

  • In the Backup History, select a backup point to create a restore job and enable the Virus Detection During Restoration feature.

    In the backup details pop-up window, click Restore at the bottom.

    On the Create Restore Job page, find and turn on the Scan for Viruses During Restore switch.

    After enabling Virus Detection During Restoration, Cloud Backup scans all files being restored while restoring them.

    Note
    • Files confirmed safe are restored immediately.

    • Virus-infected files are not restored.

    • We recommend visiting the Virus Detection page to review risky files and find safe versions for restoration.

  • On the Restore Jobs page, click Create Restore Job, select a backup point from a backup vault or replication target vault, and enable the Virus Detection During Restoration feature.

    In the Select Source Instance step, choose Backup Vault, then select the client that owns the backup data from the list below.

    After enabling this feature, safe files are restored directly, and virus files are skipped. We recommend checking the Virus Detection page for risky files. Virus detection is a billable feature.

  • On the Virus Detection page, click Backup Point Virus Detection and select a backup point from a backup vault or replication target vault to manually scan for viruses.

    1. On the Select Source tab, choose the backup vault and client that owns the backup data. Then click Next.

    2. On the Select Backup tab, choose the backup point to scan. Then click Next.

      Virus detection is a billable feature. Be aware of related charges.

    3. On the Select File to Detect tab, choose to scan Include All Files, Include Files, or Exclude Files. These options are mutually exclusive—only one can be active at a time. Finally, click OK.

      Virus detection is a billable feature. Charges are based on the number of files scanned. See pricing details. You can also go to the Backup Plans page and select a backup point directly for virus scanning.

  • On the Virus Detection page, if a backup point in a backup vault or replication target vault is infected, use Find Secure Version for Restoration to scan other backup points and restore a clean version.

    Find Safe Version to Restore

    1. On the Virus Detection tab, click Find Secure Version for Restoration in the Actions column for the target ECS instance.

    2. On the Select Files to Search for Secure Versions tab, choose the risky files for which you want to find safe versions. Then click Next.

      The risky file list includes columns for File Name, MD5, Threat Label, Risk Level, and Last Detection Time. Virus detection is a billable feature.

    3. On the Select Backup Points to Search for Secure Versions tab, choose a backup point containing uninfected versions of the files. Then click OK.

      Virus detection is a billable feature. Scanning 1000 files costs approximately USD 0.229. After submission, check the safe version search status on the Restore Jobs page.

    After a restore job is created, you can view the secure version status in the Restore Jobs tab's Status column.

    • If the status is Secure version unavailable, choose a different backup point to search for a safe version.

    • The status is Secure version available. You can click > Use Secure Version for Restoration in the Actions column of the target ECS instance. For more information, see Restore Safe Version.

    Restore Safe Version

    1. Click > Use Secure Version for Restoration in the Actions column of the target ECS.

    2. On the Select Backup tab, choose a backup point that contains a safe version. Then click Next.

      The backup list includes columns for Backup ID, Completion Time, and Safe Version Available.

    3. On the Select Restore Items tab, click Next.

      The page confirms that a safe version of the specified risky file was found in the selected backup point. You can choose a safe version to restore. The files to be restored are listed below, including File Name (for example, /yanglin/1f1fb4c64fa1f758d59c33ae8f08a646), Risk Level (Important), and Threat Label (Mining Program).

    4. On the Restore Destination tab, choose a destination and click Next.

      Set Destination Type to ECS Client (New) and select an Activated target client from the list below.

    5. On the Destination Path tab, specify a path or restore to the original location. Then click Start to Restore.

      If a file with the same name exists at the restore path, choose Skip This File, Overwrite File at Restore Path, or Keep Latest Version Based on Modification Time. Ensure the restore path exists. Otherwise, the restore job fails.

    6. On the Restore Jobs tab, monitor the job status. When the status changes to Completed, the restore succeeded.

Virus Detection Status for Backup Points

If Cloud Backup detects virus-infected files in a backup point during scanning, it marks that backup point as risky. When browsing backup points, you can view detailed information about risky files.

In the backup history section under the Backup Plans tab, use the timeline to check the status of each backup point. A green dot indicates Completed. An orange dot indicates Partially Completed (the backup point may contain risky files).

At the top of the backup browsing page, a red warning banner shows the risk discovery time and most recent scan time. In the file list, risky files are marked with a red icon for quick identification.

If you restore a backup point that contains virus-infected files, you can choose:

  • Do not restore the virus-infected files (You can find secure versions on the Virus Detection tab.)

  • I am aware of the risks and still want to restore all the selected items

We recommend that you visit the Virus Detection page to review threat files and find a secure version to recover. For more information, see Find a secure version to recover.

Detection Results

On the Virus Detection page, view statistics for all scanned backup points, including the following:

  1. Total Number of Backup Points Detected: The cumulative number of backup points scanned.

  2. Total Detected Files: The cumulative count of file scans performed. This is the basis for billing.

  3. High Risk: the cumulative total of high-risk files or objects detected.

  4. Medium Risk: the total number of medium-risk files or objects detected.

  5. Low Risk: the total number of low-risk files or objects detected.

  6. Secure: the total number of safe files or objects detected.

The risky file details list includes columns for File Name, MD5, Threat Label, Risk Level, Detection Time, and Actions. Threat labels include WebShell, malicious script, proxy tool, mining program, suspicious program, and others. In the Actions column, click Find Safe Version to Restore to restore a risky file.

For each backup point, you can view historical detection statistics and details about risky files.

Number of Files Detected: the cumulative number of files or objects scanned for this backup point.

Total Number of Files: the total number of files or objects scheduled for detection at this backup point.

Detection Result: Detection results provide detailed classification statistics of scanned files, including the following:

  • High-risk: represents the cumulative number of high-risk files or objects detected at this backup point.

  • Medium: The cumulative number of medium-risk files or objects detected in this backup point.

  • Low: The cumulative number of low-risk files or objects detected in this backup point.

  • Safe: The cumulative number of safe files or objects detected in this backup point.

  • Undetectable Files: The number of files skipped due to size limits or other constraints. This represents the cumulative count of undetectable files or objects in this backup point.

Related operations

On the Virus Detection page, you can click the in the Actions column to perform the following related operations.

Action

Description

Download List of Virus Files

Export detected virus files to a local file. The exported file includes virus file paths, MD5 hash values, risk levels, and virus names.

Download List of Files That Cannot Be Detected

Files larger than 100 MB are skipped during scanning. Download this list to view details about undetectable backup files.

Forcibly Restore Current Version

Forcing restoration of risky files may pose risks to the restore target. Proceed with caution.

Pricing

Virus detection is a paid feature billed by Total Detected Files. You are charged only for files successfully scanned, regardless of whether the scan is automatic or on-demand. Unscanned files incur no charges.

Automatic detection based on backup policies performs incremental virus detection only on newly added or modified files. On-demand manual detection for each backup point is independent and does not affect other detections. Total Detected Files is the sum of historically detected files from both automatic and manual detection. For detailed billing rules, see the How it works section. For more billing information, see Pricing details.

On the Virus Detection tab, the top of the page displays statistics for Total Backup Points Scanned, Total Files Scanned, Important, Medium, Low, and Safe.