This guide explains how to integrate the Nextron THOR forensic scanner into Veeam Backup & Replication in order to scan restore points for attacker artefacts and anomalies.
- Veeam Backup & Replication installed
- THOR scanner with valid license file (Lab License required for full functionality)
Extract the THOR scanner into the following directory:
C:\Program Files\THOR
Make sure the license file is located in the same directory.
Navigate to:
C:\Program Files\Common Files\Veeam\Backup and Replication\Mount Service
Open the file:
AntivirusInfos.xml
Edit the listing of the antivirus software and add the following entry for THOR.
See Veeam's official documentation for more information on this file.
Depending on your use case, you can choose between two configurations:
This configuration is designed for maximum coverage and speed, for example when verifying backups during an active incident response.
- Uses almost all CPU cores (
--threads -2, leaves 2 free) - Scans all files without limitation
- Ignores memory pressure (
--norescontrol), does not stop when free RAM is low
<Antiviruses>
...
<!-- THOR Scanner (Intensive) -->
<AntivirusInfo Name='THOR Scanner' IsPortableSoftware='true' ExecutableFilePath='%ProgramFiles%\Thor\thor64.exe' CommandLineParameters='-a Filescan --intense --threads -2 --norescontrol --cross-platform --follow-symlinks --nothordb -e %ProgramFiles%\Thor -p %Path%' RegPath='' ServiceName='' ThreatExistsRegEx='ALERTS:\s*[1-9]\d*|WARNINGS:\s*[1-9]\d*' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='Command executed successfully'>0</ExitCode>
<ExitCode Type='Infected' Description='A threat was detected on the system'>1</ExitCode>
</ExitCodes>
</AntivirusInfo>
</Antiviruses>This configuration is optimized for continuous or scheduled preventive scans of backups, where system impact must be minimized.
- Uses only one CPU thread
- Respects system resources (resource control active, scan stops before memory swapping)
- Scans only relevant file types (not every single file)
<Antiviruses>
...
<!-- THOR Scanner (Gentle) -->
<AntivirusInfo Name='THOR Scanner' IsPortableSoftware='true' ExecutableFilePath='%ProgramFiles%\Thor\thor64.exe' CommandLineParameters='-a Filescan --cross-platform --follow-symlinks --nothordb -e %ProgramFiles%\Thor -p %Path%' RegPath='' ServiceName='' ThreatExistsRegEx='ALERTS:\s*[1-9]\d*|WARNINGS:\s*[1-9]\d*' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='Command executed successfully'>0</ExitCode>
<ExitCode Type='Infected' Description='A threat was detected on the system'>1</ExitCode>
</ExitCodes>
</AntivirusInfo>
</Antiviruses>Recommendation:
- Use Intensive Scan during incident response or when time-to-result matters most.
- Use Gentle Scan for preventive, regular scanning of backups, where stability of the backup server is more important than scanning speed.
In the Veeam Console:
- Go to Menu → Inventory → Settings (top left).
- Select the Signature Detection tab.
- Change the setting from
Veeam Threat Hunter Recommended
to
Bring your own antivirus (Slower). - Confirm with OK.
In the Veeam Console:
- Navigate to Home → Backups → Disks.
- Select the desired backup → right-click → Scan Backup.
- In the Scan Backup dialog, check:
Scan Restore Points with Your Existing Antivirus Software. - Confirm with OK.
Veeam will now pass the job to THOR.
- Veeam hands off the job to THOR.
- THOR scans the restore points for forensic artefacts.
THOR scans the restore points for forensic artefacts.
After completion, the reports are written to the output directory as:
.txt(structured report).html(for comfortable viewing in the browser)
With this integration, THOR complements existing antivirus integrations in Veeam by scanning backups for webshells, backdoors, obfuscated scripts, and other attacker artefacts.