{"id":31892248,"url":"https://github.com/nextronsystems/veeam-integration","last_synced_at":"2026-02-16T09:02:59.422Z","repository":{"id":316607714,"uuid":"1064093879","full_name":"NextronSystems/veeam-integration","owner":"NextronSystems","description":"Integration of THOR into Veeam Backup \u0026 Replication","archived":false,"fork":false,"pushed_at":"2025-09-26T09:27:39.000Z","size":589,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-10-13T08:48:47.103Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NextronSystems.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-25T14:29:19.000Z","updated_at":"2025-09-26T09:27:43.000Z","dependencies_parsed_at":null,"dependency_job_id":"5cb3ef43-2454-4f3e-b188-d47070119456","html_url":"https://github.com/NextronSystems/veeam-integration","commit_stats":null,"previous_names":["nextronsystems/veeam-integration"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/NextronSystems/veeam-integration","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2Fveeam-integration","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2Fveeam-integration/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2Fveeam-integration/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2Fveeam-integration/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NextronSystems","download_url":"https://codeload.github.com/NextronSystems/veeam-integration/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2Fveeam-integration/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29504684,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-16T08:14:25.707Z","status":"ssl_error","status_checked_at":"2026-02-16T08:14:25.334Z","response_time":115,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-13T08:47:26.146Z","updated_at":"2026-02-16T09:02:59.418Z","avatar_url":"https://github.com/NextronSystems.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Integration of THOR into Veeam Backup \u0026 Replication\n\nThis guide explains how to integrate the Nextron THOR forensic scanner into Veeam Backup \u0026 Replication in order to scan restore points for attacker artefacts and anomalies.\n## Prerequisites\n\n- Veeam Backup \u0026 Replication installed\n- THOR scanner with valid license file (Lab License required for full functionality)\n\n## Step 1 – Place THOR\n\nExtract the THOR scanner into the following directory:\n\n```\nC:\\Program Files\\THOR\n```\n\nMake sure the license file is located in the same directory.\n\n![THOR Directory](images/pic1.png)\n\n## Step 2 – Adjust Veeam Mount Services\n\nNavigate to:\n\n```\nC:\\Program Files\\Common Files\\Veeam\\Backup and Replication\\Mount Service\n```\n\nOpen the file:\n\n```\nAntivirusInfos.xml\n```\n\nEdit the listing of the antivirus software and add the following entry for THOR.\n\n![Veeam Mount Service Directory](images/pic2.png)\n\nSee Veeam's [official documentation](https://www.veeam.com/kb3132) for more information on this file.\n\nDepending on your use case, you can choose between two configurations:  \n\n### Option A – Intensive Scan (for Incident Response)\n\nThis configuration is designed for maximum coverage and speed, for example when verifying backups during an active incident response.  \n\n- Uses almost all CPU cores (`--threads -2`, leaves 2 free)  \n- Scans **all files** without limitation  \n- Ignores memory pressure (`--norescontrol`), does not stop when free RAM is low  \n\n```xml\n\u003cAntiviruses\u003e\n...\n    \u003c!-- THOR Scanner (Intensive) --\u003e\n    \u003cAntivirusInfo Name='THOR Scanner' IsPortableSoftware='true' ExecutableFilePath='%ProgramFiles%\\Thor\\thor64.exe' CommandLineParameters='-a Filescan --intense --threads -2 --norescontrol --cross-platform --follow-symlinks --nothordb -e %ProgramFiles%\\Thor -p %Path%' RegPath='' ServiceName='' ThreatExistsRegEx='ALERTS:\\s*[1-9]\\d*|WARNINGS:\\s*[1-9]\\d*' IsParallelScanAvailable='false'\u003e\n        \u003cExitCodes\u003e\n            \u003cExitCode Type='Success' Description='Command executed successfully'\u003e0\u003c/ExitCode\u003e\n            \u003cExitCode Type='Infected' Description='A threat was detected on the system'\u003e1\u003c/ExitCode\u003e\n        \u003c/ExitCodes\u003e\n    \u003c/AntivirusInfo\u003e\n\u003c/Antiviruses\u003e\n```\n\n### Option B – Gentle Scan (for Preventive Scanning)\n\nThis configuration is optimized for continuous or scheduled preventive scans of backups, where system impact must be minimized.  \n\n- Uses only **one CPU thread**  \n- Respects system resources (resource control active, scan stops before memory swapping)  \n- Scans only relevant file types (not every single file)  \n\n```xml\n\u003cAntiviruses\u003e\n...\n    \u003c!-- THOR Scanner (Gentle) --\u003e\n    \u003cAntivirusInfo Name='THOR Scanner' IsPortableSoftware='true' ExecutableFilePath='%ProgramFiles%\\Thor\\thor64.exe' CommandLineParameters='-a Filescan --cross-platform --follow-symlinks --nothordb -e %ProgramFiles%\\Thor -p %Path%' RegPath='' ServiceName='' ThreatExistsRegEx='ALERTS:\\s*[1-9]\\d*|WARNINGS:\\s*[1-9]\\d*' IsParallelScanAvailable='false'\u003e\n        \u003cExitCodes\u003e\n            \u003cExitCode Type='Success' Description='Command executed successfully'\u003e0\u003c/ExitCode\u003e\n            \u003cExitCode Type='Infected' Description='A threat was detected on the system'\u003e1\u003c/ExitCode\u003e\n        \u003c/ExitCodes\u003e\n    \u003c/AntivirusInfo\u003e\n\u003c/Antiviruses\u003e\n```\n\n**Recommendation:**\n\n- Use **Intensive Scan** during **incident response** or when time-to-result matters most.  \n- Use **Gentle Scan** for **preventive, regular scanning** of backups, where stability of the backup server is more important than scanning speed.\n\n## Step 3 – Change Veeam Configuration\n\nIn the Veeam Console:\n\n1. Go to **Menu → Inventory → Settings** (top left).\n2. Select the **Signature Detection** tab.\n3. Change the setting from  \n   `Veeam Threat Hunter Recommended`  \n   to  \n   `Bring your own antivirus (Slower)`.\n4. Confirm with **OK**.\n\n![Veeam Settings](images/pic3.png)\n\n## Step 4 – Start a Backup Scan\n\nIn the Veeam Console:\n\n1. Navigate to **Home → Backups → Disks**.\n2. Select the desired backup → right-click → **Scan Backup**.\n3. In the **Scan Backup** dialog, check:  \n   `Scan Restore Points with Your Existing Antivirus Software`.\n4. Confirm with **OK**.\n\nVeeam will now pass the job to THOR.\n\n![Veeam Scan Backup](images/pic4.png)\n\n## Step 5 – Monitor the Scan\n\n- Veeam hands off the job to **THOR**.\n- **THOR** scans the restore points for forensic artefacts.\n\n![Veeam Job Progress](images/pic5.png)\n\n## Step 6 – Review the Findings\n\nTHOR scans the restore points for forensic artefacts.  \nAfter completion, the reports are written to the output directory as:\n\n- `.txt` (structured report)\n- `.html` (for comfortable viewing in the browser)\n\n## Result\n\nWith this integration, THOR complements existing antivirus integrations in Veeam by scanning backups for webshells, backdoors, obfuscated scripts, and other attacker artefacts.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextronsystems%2Fveeam-integration","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnextronsystems%2Fveeam-integration","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextronsystems%2Fveeam-integration/lists"}