08-17-2022 12:44 AM
We are observing VEEAM VeeamTransportSvc.exe being blocked by BTP and, thus, preventing backups from being started.
We are working on a temporary fix excluding path and cgo and the likes but this is the second week in a row that content updates are screwing, this time impacting operations.
Already filled a support case.
BR
08-17-2022 02:07 AM - edited 08-17-2022 02:14 AM
Our observed CGO
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe -k netsvcs
C:\\Program Files (x86)\\Veeam\\Backup Transport\\VeeamTransportSvc.exe\""
All trying to modify a specific reg key:
key_name": "bcd00000000\\objects\\{d80ed0e8-d6da-11e7-b27f-ab3a45175c5d}\\elements\\25000080"
"value": "base64: AgAAAAAAAAA="
AgAAAAAAAA= it's a NULL sledge , effectively impeding the boot in safe mode.
(valid values are: 0 = Minimal 1 = Network 2 = DsRepair)
08-17-2022 04:35 AM
We need to get this solved, it's blocking the jobs that use application aware. Identical error to yours, i'm just not sure how to make an exception to stop veeam from blocking it. first time i've had to make an exception in cortex xdr.
08-17-2022 04:50 AM - edited 08-17-2022 05:11 AM
We are also seeing this problem all domain controllers this morning. I may whitelist and wait for a response from PA on whether a new content update will allow me to undo a whitelist entry.
08-17-2022 05:56 AM
Our Veeam backups on our DCs are also broken as of this morning. The only way I see to whitelist this is by adding the hash for SVCHOST.exe... seems too risky at this point in time. I'll create a support ticket as well, but please do post your responses from support.
08-17-2022 06:51 AM - edited 08-17-2022 06:51 AM
Same issue for me this morning. Had weird errors I'd never seen in the Veeam backup reports and I am glad to see this thread. Hopefully a new BTP update will release today to resolve. We obviously can't whitlelist svchost.exe. I opened a ticket just now and will reply with the response.
08-17-2022 06:53 AM
Hello everyone,
We have received a number of TAC cases regarding this issue and our engineering team is aware and working to address.
08-17-2022 07:10 AM
It does only appear to be affecting application aware backups
08-17-2022 07:40 AM
We have a support case currently opened with Palo for this issue and their suggestion was to whitelist this activity, but we have done that and just tried to kick off backups of our Domain Controllers and it is failing now. Seems that the registry and BCD editing that XDR blocked that VEEAM was trying to make yesterday evening, isn't something that VEEAM writes again (or just assumes that the changes took when XDR prevented them from happening) upon re-try of the backup jobs?
08-17-2022 08:06 AM
I saw the same behavior this morning. I didn't realize at the time that Cortex was catching it, so I was troubleshooting otherwise. I ended up re-registering VSS components twice and that seemed to resolve my issues.
08-17-2022 08:26 AM
we have the same problem... i waiting for response for support pls!
08-17-2022 08:38 AM
Are the VSS components you are talking about, this: https://www.veeam.com/kb2041 ?
08-17-2022 08:42 AM - edited 08-17-2022 08:43 AM
Here's one script that I ran:
net stop "System Event Notification Service" /y
net stop "Background Intelligent Transfer Service" /y
net stop "COM+ Event System" /y
net stop "Microsoft Software Shadow Copy Provider" /y
net stop "Volume Shadow Copy" /y
cd /d %windir%\system32
net stop vss
net stop swprv
regsvr32 /s ATL.DLL
regsvr32 /s comsvcs.DLL
regsvr32 /s credui.DLL
regsvr32 /s CRYPTNET.DLL
regsvr32 /s CRYPTUI.DLL
regsvr32 /s dhcpqec.DLL
regsvr32 /s dssenh.DLL
regsvr32 /s eapqec.DLL
regsvr32 /s esscli.DLL
regsvr32 /s FastProx.DLL
regsvr32 /s FirewallAPI.DLL
regsvr32 /s kmsvc.DLL
regsvr32 /s lsmproxy.DLL
regsvr32 /s MSCTF.DLL
regsvr32 /s msi.DLL
regsvr32 /s msxml3.DLL
regsvr32 /s ncprov.DLL
regsvr32 /s ole32.DLL
regsvr32 /s OLEACC.DLL
regsvr32 /s OLEAUT32.DLL
regsvr32 /s PROPSYS.DLL
regsvr32 /s QAgent.DLL
regsvr32 /s qagentrt.DLL
regsvr32 /s QUtil.DLL
regsvr32 /s raschap.DLL
regsvr32 /s RASQEC.DLL
regsvr32 /s rastls.DLL
regsvr32 /s repdrvfs.DLL
regsvr32 /s RPCRT4.DLL
regsvr32 /s rsaenh.DLL
regsvr32 /s SHELL32.DLL
regsvr32 /s shsvcs.DLL
regsvr32 /s /i swprv.DLL
regsvr32 /s tschannel.DLL
regsvr32 /s USERENV.DLL
regsvr32 /s vss_ps.DLL
regsvr32 /s wbemcons.DLL
regsvr32 /s wbemcore.DLL
regsvr32 /s wbemess.DLL
regsvr32 /s wbemsvc.DLL
regsvr32 /s WINHTTP.DLL
regsvr32 /s WINTRUST.DLL
regsvr32 /s wmiprvsd.DLL
regsvr32 /s wmisvc.DLL
regsvr32 /s wmiutils.DLL
regsvr32 /s wuaueng.DLL
sfc /SCANFILE=%windir%\system32\catsrv.DLL
sfc /SCANFILE=%windir%\system32\catsrvut.DLL
sfc /SCANFILE=%windir%\system32\CLBCatQ.DLL
net start "COM+ Event System"
And here is the other:
cd /d %windir%\system32
net stop vss
net stop swprv
regsvr32 /s ole32.dll
regsvr32 /s oleaut32.dll
regsvr32 /s vss_ps.dll
vssvc /register
regsvr32 /s /i swprv.dll
regsvr32 /s /i eventcls.dll
regsvr32 /s es.dll
regsvr32 /s stdprov.dll
regsvr32 /s vssui.dll
regsvr32 /s msxml.dll
regsvr32 /s msxml3.dll
regsvr32 /s msxml4.dll
vssvc /register
net start swprv
net start vss
Validate that all necessary services on your DC are running when finished. I had to restart my DHCP server service, which was stopped in the process.
08-17-2022 08:50 AM
Thank you, J Turner, do all those commands fix this issue then: https://www.veeam.com/kb1697 ?
08-17-2022 08:58 AM
I can tell you that it fixed my issues, which were identical to what was in the original post. I had 5 events in cortex appear for each server, and veeam jobs were failing until I went through and ran these. Also to note I did update my servers with latest patches as well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
