Tuesday, July 1, 2025

Regkey of the month: JULY

It's already the third episode and summer is coming, so we're generous and bring you a combo of 2 interesting regkeys for Veeam Backup and Replication.

VTHScanEmail & VTHScanExclusions

 

In case you didn't know: VTH stands for Veeam's Threat Hunter technology.

Why Your Backups Need a Threat Hunter (and why Veeam Delivers) 

In today’s cyber battleground, relying solely on production environment security is like wearing half a suit of armor. Existing tools might miss stealthy threats, third-party scanners drain budgets and resources, and performance bottlenecks slow critical recoveries. 

Let's look at VTH: a zero-cost, zero-install second opinion embedded directly in Veeam’s SureBackup, Backup Scan, and Secure Restore workflows. No extra licenses needed. No complex deployments. Just pure, surgical malware hunting !

 




But what if you need granular control over what gets scanned? 

That’s where the registry keys VTHScanEmail and VTHScanExclusions come in to play. 

VTHScanEmail: The Email Scanning Power Switch 

  • Key Path: `HKLM\SOFTWARE\Veeam\Veeam Threat Hunter\`  
  • Value Type: DWORD  
  • Default State: `1` (Enabled)  

 

What It Do ?

 When enabled (value `1`), Veeam Threat Hunter will scan:  

  • Plaintext emails (e.g., .EML, .MSG)  
  • Email databases (PST, OST, MBX, DBZ, etc.)  

A Trade-Off: 
 

Scanning complex email structures isn’t lightweight so expect longer scan times for your restore points, especially with large mailboxes and/or a lot of local files. Think about servers that hold multiple user's OST files. If performance is critical or PST files aren’t a priority, setthis key to `0` to disable email scanning.  

My personal view:
 

Use this key situationally! Enable it for targeted Secure Restores of mail data, but disable it for broad backup scans where non-email files are the focus.  


 


VTHScanExclusions: Your Performance Safeguard 

  • Key Path: HKLM\SOFTWARE\Veeam\Veeam Threat Hunter\  
  • Value Type: REG_MULTI_SZ (Multi-String)  


This key is Threat Hunter’s "exclusion list" a wildcard-driven filter to skip non-essential paths. Every second counts during malware scans, and excluding bloated folders (like temporary files or archives) can slash scan times dramatically.  

How to use this exception list ?

One Path Per Line: List exclusions vertically—no commas, no quotes.  
Wildcards Are Your Friend (But Handle With Care):  

  •   *.log → Matches any ".log" file in any directory.  
  •   Backup* → Skips folders and files starting with "Backup" (e.g., `C:\Backup_Old\`).  
  •   \Projects\Temp\* → Ignores everything in "\Projects\Temp\" (but not subfolders like "\Projects\Temp\Archive\").  

Good to know: 

Veeam auto-prepends `*\` to your entry. 

                            "Documents*" becomes `*\Documents*` so matching any folder named "Documents".

Drive letters are wildcarded: 

                            "C:\Logs\*"  becomes "*\Logs\*"  

Minimum 3 characters per entry are needed

Deep path example: "\demo1*\demo2*\*" excludes "\demo123\demo\demo456\application.exe"

So pay attention when using wildcard in the middle of an exclusion string.  

A Real-World Example: 

 

Registry entry: 

*.tmp
Temp*
\Archive\*
Windows\Logs\*.bak

  
This set of exclusions will skip temporary files, "Temp"-prefixed items, anything in `\Archive`, and `.bak` logs under the path "Windows\Logs".  

Why This Matters: 

Veeam Threat Hunter isn’t just another scanner, it’s an insurance against "silent backup corruption". 

By leveraging these keys:  

  • You avoid scanning gigs of irrelevant email data (VTHScanEmail).  
  • You sidestep performance-killing directories (VTHScanExclusions).    
  • You gain enterprise-grade threat detection without buying new tools.  

Final Checklist:  
 

  • Back up your registry before editing.  (of course we always do !) 
  • Guest file indexing must be enabled in order to scan the individual files.

  • Use Veeam ONE to monitor scan performance trends.  
  • Combine keys: Disable email scans (`VTHScanEmail=0`) & exclude non-critical paths for max speed.  
  • Explore Veeam’s Official Threat Hunter Guide for more information