Overview

After the restore job is complete for the Sandbox virtual machine, with the Malicious File Scan feature, you can scan the data for malicious files and pre-defined file hashes. This ensures the restored data is clean and devoid of viruses and malware. You can scan the data irrespective of the restore location. 

When Malicious File Scan is enabled, you will see the Malicious File Scan section in the Sandbox Recovery > Settings window on the Hybrid Workloads page.

For Sandbox VM file scan, toggle the button to enable the scan from the Sandbox Recovery > Settings page.  

Select the Delete Malicious Files checkbox if you want to automatically delete the detected malicious files identified during Malicious File Scan.

Note: In case of scan job failure with the Delete Malicious Files setting already selected, some malicious file(s) will get deleted as part of the scan.

For more information about VMware Sandbox Recovery, see Restore virtual machines using sandbox. 

The virtual machine is scanned after restore completion, hence the overall job time increases. You can view the progress of the scan job from the Jobs page. There is an option to cancel the scan job if you feel it’s taking longer than you expected and restoring the files is urgent. 

On the restore Jobs page for a virtual machine, the  sign is present beside every restore job that has malicious file scan enabled. To learn more about what each scan status icon displayed on the Sandbox VM signifies, see Scan status for sandbox recovery job.

Support matrix for Sandbox Recovery

The following are the supported Windows versions for Sandbox Recovery:

• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022
• Windows Server 2008R2

Note: For Malicious File Scan support for Windows Server 2008R2, ensure that the prerequisites are met.

The following are the supported Linux versions for Sandbox Recovery:

• Red Hat Enterprise Linux (RHEL) 7.0 , 7.1, 7.2, 7.3, 7.4, 7.5
• CentOS 7.0 , 7.1, 7.2, 7.3, 7.4, 7.5
• Ubuntu 14.04,16.04
• SUSE Linux Enterprise Server 12, 12 SP 3
• VMware Photon OS Version 4

Monitor Sandbox Recovery scan jobs

You can monitor the status of sandbox recovery scan jobs via alerts and audit trails.

Alerts

After the file scan job is complete, a warning alert is generated and an email is sent to subscribed administrators in case malicious files are encountered during a scan. You can view the alert details from the Alerts page.

Audit Trails

You can filter and view the details of the file scan job activities from the Audit Trails > Filters > Activity Type.

 

You can view details for the following Malicious File Scan activity types:

• Job created: The detailed status of the sandbox recovery scan job created
• Job Cancelled: The detailed status of the canceled sandbox recovery scan job 
• Downloaded job report - The detailed report of the scan job to view details of the scan job

You may encounter the following errors related to anti-virus scan skip for files.

Error	Reason
WARNING: Can't open file- Permission denied	This error is observed in the following scenarios: File does not have read permissions File is located at an inaccessible location
Empty file	The file has no data to scan.
WARNING:- Can't access file	The file size is greater than the set file size limit for the file scan to run.
Linux specific errors
Not supported file type (Observed for linux)	The file type is not supported for anti-virus scan.
Excluded (/proc) (Observed for linux) Permission denied (Observed for linux) Can't read file ERROR (Observed for linux) Can't get file status	Access to the file is denied due to a lack of required permissions.

​​​​​To view activity details for a specific administrator, select the administrator and click View Details. The Activity Details page with file scan activity information is displayed.

For more information about VMware Sandbox Recovery, see Restore virtual machines using sandbox.

 

►Here is a quick preview of Sandbox Recovery.