https://github.com/nextronsystems/veeam-integration
Integration of THOR into Veeam Backup & Replication
https://github.com/nextronsystems/veeam-integration
Last synced: 4 months ago
JSON representation
Integration of THOR into Veeam Backup & Replication
- Host: GitHub
- URL: https://github.com/nextronsystems/veeam-integration
- Owner: NextronSystems
- Created: 2025-09-25T14:29:19.000Z (9 months ago)
- Default Branch: master
- Last Pushed: 2025-09-26T09:27:39.000Z (9 months ago)
- Last Synced: 2025-10-13T08:48:47.103Z (8 months ago)
- Size: 575 KB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Integration of THOR into Veeam Backup & Replication
This guide explains how to integrate the Nextron THOR forensic scanner into Veeam Backup & Replication in order to scan restore points for attacker artefacts and anomalies.
## Prerequisites
- Veeam Backup & Replication installed
- THOR scanner with valid license file (Lab License required for full functionality)
## Step 1 – Place THOR
Extract the THOR scanner into the following directory:
```
C:\Program Files\THOR
```
Make sure the license file is located in the same directory.
## Step 2 – Adjust Veeam Mount Services
Navigate to:
```
C:\Program Files\Common Files\Veeam\Backup and Replication\Mount Service
```
Open the file:
```
AntivirusInfos.xml
```
Edit the listing of the antivirus software and add the following entry for THOR.
See Veeam's [official documentation](https://www.veeam.com/kb3132) for more information on this file.
Depending on your use case, you can choose between two configurations:
### Option A – Intensive Scan (for Incident Response)
This configuration is designed for maximum coverage and speed, for example when verifying backups during an active incident response.
- Uses almost all CPU cores (`--threads -2`, leaves 2 free)
- Scans **all files** without limitation
- Ignores memory pressure (`--norescontrol`), does not stop when free RAM is low
```xml
...
0
1
```
### Option B – Gentle Scan (for Preventive Scanning)
This configuration is optimized for continuous or scheduled preventive scans of backups, where system impact must be minimized.
- Uses only **one CPU thread**
- Respects system resources (resource control active, scan stops before memory swapping)
- Scans only relevant file types (not every single file)
```xml
...
0
1
```
**Recommendation:**
- Use **Intensive Scan** during **incident response** or when time-to-result matters most.
- Use **Gentle Scan** for **preventive, regular scanning** of backups, where stability of the backup server is more important than scanning speed.
## Step 3 – Change Veeam Configuration
In the Veeam Console:
1. Go to **Menu → Inventory → Settings** (top left).
2. Select the **Signature Detection** tab.
3. Change the setting from
`Veeam Threat Hunter Recommended`
to
`Bring your own antivirus (Slower)`.
4. Confirm with **OK**.
## Step 4 – Start a Backup Scan
In the Veeam Console:
1. Navigate to **Home → Backups → Disks**.
2. Select the desired backup → right-click → **Scan Backup**.
3. In the **Scan Backup** dialog, check:
`Scan Restore Points with Your Existing Antivirus Software`.
4. Confirm with **OK**.
Veeam will now pass the job to THOR.
## Step 5 – Monitor the Scan
- Veeam hands off the job to **THOR**.
- **THOR** scans the restore points for forensic artefacts.
## Step 6 – Review the Findings
THOR scans the restore points for forensic artefacts.
After completion, the reports are written to the output directory as:
- `.txt` (structured report)
- `.html` (for comfortable viewing in the browser)
## Result
With this integration, THOR complements existing antivirus integrations in Veeam by scanning backups for webshells, backdoors, obfuscated scripts, and other attacker artefacts.