Virus detection - Cloud Backup - Alibaba Cloud Documentation Center

Restoring infected backup data can re-infect your production environment. To reduce this risk, Cloud Backup provides the Backup Point Virus Detection feature. This topic covers backup point virus detection: scope and limits, how it works, procedures, fees, and usage notes.

Introduction

Cloud Backup periodically backs up your production data. Infected source data is copied into the backup vault, so restoring from an infected backup can re-infect production and delay disaster recovery. The backup point virus detection feature helps you choose clean backup points for restore. It supports:

Automatic detection based on a backup policy: When you create a backup policy, enable the Backup Point Virus Detection feature. Cloud Backup then scans backup data after each scheduled backup. See which files are risky and pick clean ones for restore.
On-demand manual detection: Run a scan when you need it—from backup history, from the virus detection page, or during a restore job.

Backup points where Cloud Backup finds infected files are marked high-risk. When browsing backup points, you see risk details per file.

Supported scope and limits

The Backup Point Virus Detection feature supports ECS file backup (new version), local file backup (new version), OSS backup, Alibaba Cloud NAS backup, and on-premises NAS backup.
The Backup Point Virus Detection feature scans backup files up to 100 MB each. Files over 100 MB are skipped. Download the unscannable-files list to see which ones.
Supported regions: See Features available by region.

Supported virus types

The Backup Point Virus Detection feature of Cloud Backup detects the following virus types.

virus_type	Virus name
Backdoor	Reverse shell
DDoS	DDoS Trojan
Downloader	Downloader trojan
Engtest	Engine test program
Hacktool	Hacking tool
Trojan	High-risk program
Malbaseware	Tainted basic software
MalScript	Malicious script
Malware	Malware
Miner	Mining program
Proxytool	Proxy tool
RansomWare	Ransomware
RiskWare	Riskware
Rootkit	Rootkit
Stealer	Stealer
Scanner	Scanner
Suspicious	Suspicious program
Virus	File-infecting virus
WebShell	Web shell
Worm	Worm
AdWare	Adware
Patcher	Patcher
Gametool	Private server tool

Usage notes

Archive-tier backup points in backup vaults do not support Backup Point Virus Detection.
For backup replication, policy-based automatic detection is not supported on destination backup vaults, and on-demand detection is. If a backup point was already scanned in the source vault, the same result applies to the matching point in the destination vault—no need to scan again. See On-demand manual detection.
After you enable Backup Point Virus Detection in a backup policy, the first backup point gets a full scan. Later backup points get incremental scans.
Virus detection tasks cannot be canceled once they start.

How it works

Virus detection is built into the backup service. No need to deploy extra services or clients to scan backup data.

Automatic detection based on a backup policy

After you enable the Backup Point Virus Detection feature in a backup policy, the backup service scans the backup point after each scheduled backup. Scan time depends on how many files there are.

Scan logic:
- Initial scan: A full virus scan is performed on the first backup point in the backup chain.
- Later scans: For later backup points, an incremental virus scan runs only on new or changed files compared to the previous backup point.
In the diagram above:
- For backup point 1, all 10,000 files are scanned (full scan).
- For backup point 2, only the 2,000 new files and 1,000 changed files are scanned (3,000 incremental files).
- For backup point 3, only the 2,000 changed files are scanned (incremental scan).

On-demand manual detection

Perform on-demand manual detection in one of the following ways:
- In Backup History, select a backup point to perform a manual virus scan.
- In Backup History, select a backup point to create a restore job and enable the Virus Detection During Restoration feature.
- On the Restore Jobs page, select a backup point from a backup vault or a destination backup vault to create a restore job and enable the Virus Detection During Restoration feature.
- On the Virus Detection page, select a backup vault or a backup point in a destination backup vault to perform a manual virus scan.
- On the Virus Detection page, if a backup point is infected, use Find Secure Version for Restoration to scan other backup points and pick a clean version to restore.
Features of on-demand manual detection:
- Each backup point is scanned independently. The scan does not inherit detection results from other backup points in the same backup chain. A backup point may be scanned multiple times.
- If you run multiple on-demand scans on the same backup point, each file is scanned once. Results are merged automatically.
In the diagram above:
- For backup point 1:
  - The /A directory contains 10,000 files, and the /A/B directory contains 4,000 files.
  - The first scan checks only the /A/B directory, scanning 4,000 files.
  - A second scan of /A skips the already-scanned /A/B and scans only the remaining 6,000 files (10,000 - 4,000).
- For backup point 2: A full on-demand scan covers 12,000 files (9,000 + 1,000 + 2,000).
- For backup point 3: A full on-demand scan covers 3,000 files (1,000 + 2,000).

Description of virus detection status for backup points

When a scan finds infected files in a backup point, that backup point is marked high-risk. When browsing backup points, you see which files are high-risk.

When restoring from a backup point that contains infected files, choose one of the following:

Do not restore the virus-infected files (You can find secure versions on the Virus Detection tab.)
I am aware of the risks and still want to restore all the selected items

On the Virus Detection page, view high-risk files and pick a clean version to restore. See Find a secure version to restore.

Detection results

On the Virus Detection page, see statistics for all scanned backup points. Statistics include:

Total Number of Backup Points Detected: Number of backup points scanned.
Total Detected Files: Total number of file scans (cumulative). Billing for virus detection is based on this.
High Risk: Number of high-risk files or objects.
Medium Risk: Number of medium-risk files or objects.
Low Risk: Number of low-risk files or objects.
Secure: Number of files or objects marked safe.

Per backup point, see all past scan stats and details for specific high-risk files.

Number of Files Detected: Number of files or objects scanned for this backup point.

Total Number of Files: Number of files or objects in this backup point.

Detection Result: Breakdown of scanned files by risk level:

High Risk: Count of high-risk files or objects in this backup point.
Medium Risk: Count of medium-risk files or objects in this backup point.
Low Risk: Count of low-risk files or objects in this backup point.
Secure: Count of secure files or objects in this backup point.
Number of unscannable files: Files or objects that were skipped (for example, over the 100 MB limit) for this backup point.

Operation entry points

This section describes how to use the Backup Point Virus Detection feature, using ECS file backup as an example.

Enable virus detection in a backup policy

When you create a backup policy, enable the Backup Point Virus Detection feature. Cloud Backup then automatically scans backup data for viruses after each backup completes.

For creating a backup policy, see Policy Center.

Run on-demand virus detection

In the Backup History section, select a backup point to perform manual virus detection on the backup data.
Click Virus Detection. Choose one of the following rules to scan: Include All Files, Include Files, or Exclude Files. These rules are mutually exclusive. Select only one rule at a time.
In Backup History, select a backup point to create a restore job and enable the Virus Detection During Restoration feature to detect viruses.
After you turn on the Virus Detection During Restoration feature, Cloud Backup scans all files to be restored during the restore. Scan and restore run at the same time.
Note
Clean files are restored as usual.
Infected files are skipped.
On the Virus Detection page, view high-risk files and pick a clean version to restore.
On the Restore Jobs page, click Create Restore Job, select a backup point in a backup vault or a destination backup vault, and enable the Virus Detection During Restoration feature to detect viruses.
On the Virus Detection page, click Backup Point Virus Detection, and select a backup point from a backup vault or a destination backup vault to perform a manual virus scan.
1. On the Select Source tab, select the backup vault and the client to scan. Then, click Next.
2. On the Select Backup tab, select the backup point to scan. Then, click Next.
3. On the Select File to Detect tab, choose one of the following rules to scan: Include All Files, Include Files, or Exclude Files. These rules are mutually exclusive. Select only one rule at a time. Finally, click OK.
On the Virus Detection page, if a backup point is infected, use Find Secure Version for Restoration to scan other backup points and pick a clean version to restore.
Find a secure version to restore
1. On the Virus Detection tab, click Find Secure Version for Restoration in the Actions column of the target ECS instance.
2. On the Select Files to Search for Secure Versions tab, select the high-risk files for which you want to find secure versions. Then, click Next.
3. On the Select Backup Points to Search for Secure Versions tab, choose backup points to search for a clean version to restore (a version with no detected infection). Then click OK.
After a restore job is created, view the status in the Status column on the Restore Jobs tab.
- If the status is Secure version unavailable, select a different backup point to search for a secure version.
- If the status is Secure version available, click ⋮ > Use Secure Version for Restoration in the Actions column of the target ECS instance. See Restore a secure version.
Restore a secure version
1. In the Actions column for the target ECS instance, click ⋮ > Use Secure Version for Restoration.
2. On the Select Backup tab, select a backup point that has a secure version to restore from. Then, click Next.
3. On the Select Restore Items tab, click Next.
4. On the Restore Destination tab, select the restore destination. Then, click Next.
5. On the Destination Path tab, specify a restore path or choose to restore to the original path. Then, click Start to Restore.
6. On the Restore Jobs tab, check the restore job status. When it shows Completed, the restore is done.

Related operations

On the Virus Detection page, click ⋮ in the Actions column to perform the following operations.

Operation	Description
Download List of Virus Files	Export detected virus file results to a local file. The export lists file path, MD5 hash, risk level, and virus name.
Download List of Files That Cannot Be Detected	Files over 100 MB are skipped during scanning. Download the unscannable-files list to see which ones.
Forcibly Restore Current Version	Restoring high-risk files anyway can put the restore destination at risk. Use with caution.

Billing

Virus detection is billable. Billing is based on the Total Detected Files metric and applies to both policy-based automatic scans and on-demand scans. You are charged only for files that are scanned.

Policy-based automatic scans run incrementally on new or changed files only. On-demand scans are per backup point and independent. The Total Detected Files metric is the cumulative count from both automatic and on-demand scans. See How it works for billing rules and Pricing for prices.