Skip to main content
Scan virtual machines data after restoring it
Updated over a week ago


❗ Important

  • VMware tools must be installed and running on the destination virtual machines for scanning files for malicious data. For more information, see Restore virtual machines using sandbox.

  • Ensure that there are at least 2 CPUs and 4 GB memory with 1. 4 to 1.5 GB free to run the scan. However, it is recommended to have 8 CPUs and 16 GB memory for a faster scan.

  • We use the clamav-0.105.2 version of ClamAV for malicious file scan check.

After the restore job is complete for the Sandbox virtual machine, with the Malicious File Scan feature , you can scan the data for malicious files and pre-defined file hashes. This ensures the restored data is clean and devoid of viruses and malware. You can scan the data irrespective of the restore location.

When Malicious File Scan is enabled, you will see the Malicious File Scan section in the Sandbox Recovery > Settings window on the Hybrid Workloads page.

Delete_Malicious Files_Sandbox_Prdt doc.png

For Sandbox VM file scan, toggle the button to enable the scan from the Sandbox Recovery > Settings page.

Select the Delete Malicious Files checkbox if you want to automatically delete the detected malicious files identified during Malicious File Scan.

πŸ“ Note
​In case of scan job failure with theDelete Malicious Files setting already selected, some malicious file(s) will get deleted as part of the scan.

For more information about VMware Sandbox Recovery, see Restore virtual machines using sandbox.

❗ Important

You cannot enable or disable Malicious File Scan for Sandbox VM from the Malicious File Scan > Settings tab on the Ransomware Recovery page.

The virtual machine is scanned after restore completion, hence the overall job time increases. You can view the progress of the scan job from the Jobspage. There is an option to cancel the scan job if you feel it’s taking longer than you expected and restoring the files is urgent.

On the restore Jobs page for a virtual machine, the blue sign is present beside every restore job that has malicious file scan enabled. To learn more about what each scan status icon displayed on the Sandbox VM signifies, see Scan status for sandbox recovery job.

❗ Important

Malicious file scan is not supported for files beyond 4 GB in size.

Support matrix for Sandbox Recovery

The following are the supported Windows versions for Sandbox Recovery:

  • Windows Server 2012

  • Windows Server 2012 R2

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022

  • Windows Server 2008R2

πŸ“ Note
​For Malicious File Scan support for Windows Server 2008R2, ensure that the prerequisites are met.

The following are the supported Linux versions for Sandbox Recovery:

  • Red Hat Enterprise Linux (RHEL) 7.0 , 7.1, 7.2, 7.3, 7.4, 7.5

  • CentOS 7.0 , 7.1, 7.2, 7.3, 7.4, 7.5

  • Ubuntu 14.04,16.04

  • SUSE Linux Enterprise Server 12, 12 SP 3

  • VMware Photon OS Version 4

Monitor Sandbox Recovery scan jobs

You can monitor the status of sandbox recovery scan jobs via alerts and audit trails.


After the file scan job is complete, a warning alert is generated and an email is sent to subscribed administrators in case malicious files are encountered during a scan. You can view the alert details from the Alerts page.

Audit Trails

You can filter and view the details of the file scan job activities from the Audit Trails > Filters > Activity Type.


You can view details for the following Malicious File Scan activity types:

  • Job created: The detailed status of the sandbox recovery scan job created

  • Job Cancelled: The detailed status of the canceled sandbox recovery scan job

  • Downloaded job report - The detailed report of the scan job to view details of the scan job

You may encounter the following errors related to anti-virus scan skip for files.



WARNING: Can't open file- Permission denied

This error is observed in the following scenarios:

  • File does not have read permissions

  • File is located at an inaccessible location

Empty file

The file has no data to scan.

WARNING:- Can't access file

The file size is greater than the set file size limit for the file scan to run.

Linux specific errors

Not supported file type (Observed for linux)

The file type is not supported for anti-virus scan.

  • Excluded (/proc) (Observed for linux)

  • Permission denied (Observed for linux)

  • Can't read file ERROR (Observed for linux)

  • Can't get file status

Access to the file is denied due to a lack of required permissions.

​​​​​To view activity details for a specific administrator, select the administrator and click View Details. The Activity Details page with file scan activity information is displayed.

Activity Details_audit trail.png

For more information about VMware Sandbox Recovery, see Restore virtual machines using sandbox.

β–ΊHere is a quick preview of Sandbox Recovery.

Did this answer your question?