Skip to main content

How can we help you?

Druva Documentation

Scan virtual machines data after restoring it

 This feature is under early access and is available for limited customers.


  •  VMware tools must be installed and running on the destination virtual machines for scanning files for malicious data. For more information, see Restore virtual machines using sandbox.
  • Ensure that there are at least 2 CPUs and 4 GB memory with 1. 4 to 1.5 GB free to run the scan. However, it is recommended to have 8 CPUs and 16 GB memory for a faster scan.

After the restore job is complete for the Sandbox virtual machine, with the Malicious File Scan feature, you can scan the data for malicious files and pre-defined file hashes. This ensures the restored data is clean and devoid of viruses and malware. You can scan the data irrespective of the restore location. 

When Malicious File Scan is enabled, you will see the Malicious File Scan section in the Sandbox Recovery > Settings window on the Hybrid Workloads page.


For Sandbox VM file scan, toggle the button to enable the scan from the Sandbox Recovery > Settings page.  For more information about VMware Sandbox Recovery, see Restore virtual machines using sandbox

 You cannot enable or disable Malicious File Scan for Sandbox VM from the Malicious File Scan  > Settings tab on the Ransomware Recovery page.

However, the time taken to restore the data increases when the scan is enabled. You can view the progress of the scan job from the Jobs page. There is an option to cancel the scan job if you feel it’s taking longer than you expected and restoring the files is urgent. 

On the restore Jobs page for a virtual machine, the vector2.png sign is present beside every restore job that has malicious file scan enabled. To learn more about what each scan status icon displayed on the Sandbox VM signifies, see Scan status for sandbox recovery job.

Malicious file scan is not supported for files beyond 4 GB in size. 

Monitor file scan jobs

You can monitor the status of file scan jobs via alerts and audit trails.


After the file scan job is complete, a warning alert is generated and an email is sent to subscribed administrators in case malicious files are encountered during a scan. You can view the alert details from the Alerts page.

Audit Trails

You can filter and view the details of the file scan job activities from the Audit Trails > Filters > Activity Type.


You can view details for the following Malicious File Scan activity types:

  • Job created: The detailed status of the file scan job created
  • Job Cancelled: The detailed status of the canceled file scan job 
  • Downloaded job report - The status of the downloaded job report for the malicious file scan

To view activity details for a specific administrator, select the administrator and click View Details. The Activity Details page with file scan activity information is displayed.

Activity Details_audit trail.png

For more information about VMware Sandbox Recovery, see Restore virtual machines using sandbox.

  • Was this article helpful?