Cloud Backup provides the Backup Point Virus Detection feature to prevent virus contamination in the production environment due to restoration of virus-infected data. This topic describes the backup point virus detection feature of Cloud Backup, including the feature introduction, limits, usage notes, working mechanism, procedure, and fees.
Feature introduction
Cloud Backup periodically backs up data in your production environment. If the data in your production environment is contaminated by viruses, the corresponding data in backup vaults also carries viruses. If you restore data from a backup vault to your production environment and the files used for restoration are infected with viruses, the restoration will cause secondary pollution to the production environment. This significantly affects the timeliness of disaster recovery and causes business losses. Cloud Backup provides the backup point virus detection feature to help you restore data from pure and secure backup points. This feature supports:
Automatic detection based on a backup policy: When you configure a backup policy, you can enable the Backup Point Virus Detection feature. Cloud Backup then automatically detects viruses on the backup data after each scheduled backup is completed. This way, you can understand the risks of backup files at each backup point and efficiently select secure files for data restoration.
Manual detection: You can select a backup point in the backup history for virus detection based on your business requirements. You can also create a virus detection job for a backup point on the Virus Detection page, or use the virus detection during restoration feature.
If Cloud Backup detects that a virus-infected file exists at a backup point, Cloud Backup marks the backup point as risky. When you browse backup points, you can view the risks of backup files at the backup points.
Limits
The Backup Point Virus Detection feature supports the following data sources: Elastic Compute Service (ECS) file backup (new version), on-premises file backup (new version), Object Storage Service (OSS) backup, File Storage NAS (NAS) backup, and local NAS backup.
The Backup Point Virus Detection feature can only detect a single backup file whose size does not exceed 100 MB. If the size of a single backup file exceeds 100 MB, the detection is skipped. In this case, you can download the list of files that cannot be detected to view the specific backup file information.
For more information about the regions that support the feature, see Features available in each region.
Supported virus types
The following table lists the virus types supported by the Backup Point Virus Detection feature of Cloud Backup.
Virus type | Virus name |
Backdoor | Reverse shell |
DDoS | DDoS trojan |
Downloader | Downloader trojan |
Engtest | Engine test program |
Hacktool | Hacking tool |
Trojan | High-risk program |
Malbaseware | Tainted basic software |
MalScript | Malicious script |
Malware | Malware |
Miner | Mining software |
Proxytool | Proxy tool |
RansomWare | Ransomware |
RiskWare | Riskware |
Rootkit | Rootkit |
Stealer | Stealer |
Scanner | Scanner |
Suspicious | Suspicious process |
Virus | File-infecting virus |
WebShell | Webshell |
Worm | Worm |
AdWare | Adware |
Patcher | Patcher |
Gametool | Gametool |
Usage notes
Archive-tier backup points in backup vaults do not support the Backup Point Virus Detection feature.
In cross-region backup scenarios, automatic detection based on backup policies is not supported for backup points in mirror vaults, but manual detection is supported. If viruses are detected for the files at a backup point on the source, the detection result is also displayed at the same backup point and files on the destination. You do not need to perform a secondary detection. For more information about manual virus detection, see Manual detection.
After you enable the Backup Point Virus Detection feature in a backup policy, Cloud Backup performs a full virus detection at the first backup point and incremental virus detections at subsequent backup points.
A backup point virus detection job cannot be canceled after it is started.
How it works
The backup point virus detection feature is seamlessly integrated with Cloud Backup. You can perform virus detection on backup data without the need to deploy any service or client.
Automatic detection based on backup policies
After you enable the Backup Point Virus Detection feature in a backup policy, Cloud Backup automatically detects viruses at the backup point after each scheduled backup is completed. The time required for virus detection depends on the number of files detected.
Cloud Backup detects viruses based on the following logic:
Initial detection: Cloud Backup performs a full virus detection at the first backup point in the backup link.
Subsequent detection: For a subsequent backup point, Cloud Backup performs an incremental virus detection on only the files that are added and changed compared with the previous backup point.
As shown in the preceding figure:
At backup point 1, Cloud Backup performs a full virus detection, and a total of 10,000 files are detected.
At backup point 2, Cloud Backup performs an incremental virus detection on only 1,000 changed files and 2,000 new files compared with backup point 1, and a total of 3,000 files are detected.
At backup point 3, Cloud Backup performs an incremental virus detection on only 2,000 files that are changed compared with backup point 2, and a total of 2,000 files are detected.
Manual detection
You can use one of the following methods to perform manual detection:
In the Backup History section, select a backup point to detect viruses.
In the Backup History section, select a backup point to create a restore job. Enable the Virus Detection During Restoration feature to detect viruses.
On the Restore Jobs tab, select a backup point in a backup vault or in a remote mirror vault to create a restore job. Enable the Virus Detection During Restoration feature to detect viruses.
On the Virus Detection tab, select a backup point in a backup vault or in a remote mirror vault to detect viruses.
On the Virus Detection tab, if a backup point in a backup vault or in a remote mirror vault is infected with viruses, click Find Secure Version for Restoration and select a secure backup point for virus detection and restoration.
Manual virus detection has the following characteristics:
A detection is independently performed at each backup point and the backup point does not inherit the detection results of other backup points in the same backup link. The same file may be detected multiple times.
If multiple manual detections are performed at the same backup point, the same file is detected only once and multiple detection results are automatically merged.
As shown in the preceding figure:
For backup point 1
Directory /A contains 10,000 files and directory /A/B contains 4,000 files.
If you select only directory /A/B for virus detection for the first time, 4,000 files in the directory are detected.
If you select directory /A for virus detection for the second time, only 6,000 (10,000 - 4,000) files are detected. This is because directory /A/B has already been detected and therefore is skipped.
For backup point 2: If you select all files for manual virus detection, a total of 12,000 (9,000 + 1,000 + 2,000) files are detected.
For backup point 3: If you select all files for manual virus detection, a total of 3,000 (1,000 + 2,000) files are detected.
Procedure
The following example describes how to use the Backup Point Virus Detection feature to detect viruses for ECS files.
Automatic detection based on backup policies
For more information about how to create a backup policy, see Manage backup policies.
Manual detection
Click Virus Detection and select Include All Files, Include Files, or Exclude Files to detect viruses. These rules are mutually exclusive and only one of them takes effect at a time.
Enable the Virus Detection During Restoration feature. Cloud Backup detects viruses on all files to be restored during restoration.
NoteCloud Backup directly restores the files that are detected as secure files.
Cloud Backup does not restore the files that are detected to be infected by viruses.
We recommend that you go to the Virus Detection tab to view the at-risk files and find a secure version for restoration.
In the Select Source step, select the backup vault and the client from which the backup point is to be detected. Click Next.
In the Select Backup step, select the backup point to detect. Click Next.
In the Select File to Detect step, select Include All Files, Include Files, or Exclude Files. (These rules are mutually exclusive and only one of them takes effect at a time.) Click OK.
Find Secure Version for Restoration
On the Virus Detection tab, click Find Secure Version for Restoration in the Actions column of the ECS instance.
In the Select Files to Search for Secure Versions step, select the secure versions of backup points for the at-risk files and click Next.
In the Select Backup Points to Search for Secure Versions step, select backup points to search for secure ones where the files are not infected by viruses. Then, click Search.
After the restore job is created, view the status of the secure version in the Status column on the Restore Jobs tab.
If Secure version unavailable is displayed, replace proper backup points to search for a secure version.
If Secure version available is displayed, choose More > Use Secure Version for Restoration in the Actions column of the ECS instance. For more information, see Use Secure Version for Restoration.
Use Secure Version for Restoration
Choose More > Use Secure Version for Restoration in the Actions column of the ECS instance.
In the Select Backup step, select a backup point that has a secure version. Click Next.
In the Select Restore Items step, click Next.
In the Restore Destination step, select a destination and click Next.
In the Destination Path step, select Specify Path or Origin Path for restoration. Then, click Start to Restore.
On the Restore Jobs tab, view the status of the restore job. If the status is displayed as Completed, the restoration is successful.
Virus detection status at backup points
If Cloud Backup detects that a virus-infected file exists at a backup point, Cloud Backup marks the backup point as risky. When you browse backup points, you can view the risks of backup files at the backup points.
To restore data at a backup point that already contains a virus-infected file, you can select one of the following options:
Do not restore the virus-infected files (You can find secure versions on the Virus Detection tab.)
I am aware of the risks and still want to restore all the selected items
We recommend that you go to the Virus Detection tab to view the at-risk files and find a secure version for restoration. For more information, see Find Secure Version for Restoration.
Detection results
On the Virus Detection tab, you can view the statistics of all backup points that have been detected for viruses, including:
Total Number of Backup Points Detected: the total number of backup points that have been detected.
Total Detected Files: the total number of files or objects that have been detected. You are charged for using the backup point virus detection feature based on this number.
High Risk: the total number of high-risk files or objects that have been detected.
Medium Risk: the total number of medium-risk files or objects that have been detected.
Low Risk: the total number of low-risk files or objects that have been detected.
Secure: the total number of secure files or objects that have been detected.
In addition, for each backup point, you can view not only the statistics of all historical detection results, but also the details of at-risk files.
Number of Files Detected: the total number of files or objects detected at the backup point.
Total Files: the total number of files or objects that are planned to be detected at the backup point.
Detection Result: the specific statistics of the detected files, including:
High Risk: the total number of high-risk files or objects that have been detected at the backup point.
Medium Risk: the total number of medium-risk files or objects that have been detected at the backup point.
Low Risk: the total number of low-risk objects or objects that have been detected at the backup point.
Secure: the total number of secure files or objects that have been detected at the backup point.
Number of Files That Cannot Be Detected: the number of files or objects that cannot be detected due to the limits of the feature, such as the limit on file size.
Related operations
On the Virus Detection tab, you can choose More in the Actions column and select the following operations.
Operation | Description |
Download List of Virus Files | You can export the list of detected virus-infected files as a file to your local computer. The exported file contains the path of each virus-infected file, MD5 hash value, risk level, and virus name. |
Download List of Files That Cannot Be Detected | If the size of a single backup file exceeds 100 MB, the detection is skipped. In this case, you can download the list of files that cannot be detected to view the specific backup file information. |
Forcibly Restore Current Version | If you forcibly restore an at-risk file, risks may be imposed to the object to be restored. Proceed with caution. |
Fees
You are charged for using the backup point virus detection feature based on Total Detected Files. You are charged for both policy-based automatic detection and manual detection based on the number of files that are successfully detected. Files that fail to be detected are not billed.
Policy-based automatic detection applies only to new and changed files. Manual detection is independently performed at each backup point. Total Detected Files is the sum of automatically and manually detected files. For more information about billing rules, see How it works. For more information about the billing, see Pricing.
