Another week, another BTP quirk: Behavioral threat detected (rule: sync.enable_safemode_on_next_reboot) spawned from VEEAM

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Another week, another BTP quirk: Behavioral threat detected (rule: sync.enable_safemode_on_next_reboot) spawned from VEEAM

We are observing VEEAM VeeamTransportSvc.exe being blocked by BTP and, thus, preventing backups from being started.


We are working on a temporary fix excluding path and cgo and the likes but this is the second week in a row that content updates are screwing, this time impacting operations.

 

Already filled a support case.

 

BR

55 REPLIES 55

Our observed CGO

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe -k netsvcs
C:\\Program Files (x86)\\Veeam\\Backup Transport\\VeeamTransportSvc.exe\""

 

All trying to modify a specific reg key:

 

key_name": "bcd00000000\\objects\\{d80ed0e8-d6da-11e7-b27f-ab3a45175c5d}\\elements\\25000080"

"value": "base64: AgAAAAAAAAA="

AgAAAAAAAA= it's a NULL sledge , effectively impeding the boot in safe mode.
(valid values are: 0 = Minimal 1 = Network 2 = DsRepair)

 

 

 

L1 Bithead

We need to get this solved, it's blocking the jobs that use application aware. Identical error to yours, i'm just not sure how to make an exception to stop veeam from blocking it. first time i've had to make an exception in cortex xdr.

L1 Bithead

We are also seeing this problem all domain controllers this morning. I may whitelist and wait for a response from PA on whether a new content update will allow me to undo a whitelist entry.

Our Veeam backups on our DCs are also broken as of this morning.  The only way I see to whitelist this is by adding the hash for SVCHOST.exe... seems too risky at this point in time.  I'll create a support ticket as well, but please do post your responses from support. 

L0 Member

Same issue for me this morning.  Had weird errors I'd never seen in the Veeam backup reports and I am glad to see this thread.  Hopefully a new BTP update will release today to resolve.  We obviously can't whitlelist svchost.exe.  I opened a ticket just now and will reply with the response.

Hello everyone,

 

We have received a number of TAC cases regarding this issue and our engineering team is aware and working to address.

L1 Bithead

It does only appear to be affecting application aware backups

L1 Bithead

We have a support case currently opened with Palo for this issue and their suggestion was to whitelist this activity, but we have done that and just tried to kick off backups of our Domain Controllers and it is failing now. Seems that the registry and BCD editing that XDR blocked that VEEAM was trying to make yesterday evening, isn't something that VEEAM writes again (or just assumes that the changes took when XDR prevented them from happening) upon re-try of the backup jobs?

L1 Bithead

I saw the same behavior this morning. I didn't realize at the time that Cortex was catching it, so I was troubleshooting otherwise. I ended up re-registering VSS components twice and that seemed to resolve my issues.

L0 Member

we have the same problem... i waiting for response for support pls! 

Are the VSS components you are talking about, this: https://www.veeam.com/kb2041 ?

Here's one script that I ran:
net stop "System Event Notification Service" /y
net stop "Background Intelligent Transfer Service" /y
net stop "COM+ Event System" /y
net stop "Microsoft Software Shadow Copy Provider" /y
net stop "Volume Shadow Copy" /y
cd /d %windir%\system32
net stop vss
net stop swprv
regsvr32 /s ATL.DLL
regsvr32 /s comsvcs.DLL
regsvr32 /s credui.DLL
regsvr32 /s CRYPTNET.DLL
regsvr32 /s CRYPTUI.DLL
regsvr32 /s dhcpqec.DLL
regsvr32 /s dssenh.DLL
regsvr32 /s eapqec.DLL
regsvr32 /s esscli.DLL
regsvr32 /s FastProx.DLL
regsvr32 /s FirewallAPI.DLL
regsvr32 /s kmsvc.DLL
regsvr32 /s lsmproxy.DLL
regsvr32 /s MSCTF.DLL
regsvr32 /s msi.DLL
regsvr32 /s msxml3.DLL
regsvr32 /s ncprov.DLL
regsvr32 /s ole32.DLL
regsvr32 /s OLEACC.DLL
regsvr32 /s OLEAUT32.DLL
regsvr32 /s PROPSYS.DLL
regsvr32 /s QAgent.DLL
regsvr32 /s qagentrt.DLL
regsvr32 /s QUtil.DLL
regsvr32 /s raschap.DLL
regsvr32 /s RASQEC.DLL
regsvr32 /s rastls.DLL
regsvr32 /s repdrvfs.DLL
regsvr32 /s RPCRT4.DLL
regsvr32 /s rsaenh.DLL
regsvr32 /s SHELL32.DLL
regsvr32 /s shsvcs.DLL
regsvr32 /s /i swprv.DLL
regsvr32 /s tschannel.DLL
regsvr32 /s USERENV.DLL
regsvr32 /s vss_ps.DLL
regsvr32 /s wbemcons.DLL
regsvr32 /s wbemcore.DLL
regsvr32 /s wbemess.DLL
regsvr32 /s wbemsvc.DLL
regsvr32 /s WINHTTP.DLL
regsvr32 /s WINTRUST.DLL
regsvr32 /s wmiprvsd.DLL
regsvr32 /s wmisvc.DLL
regsvr32 /s wmiutils.DLL
regsvr32 /s wuaueng.DLL
sfc /SCANFILE=%windir%\system32\catsrv.DLL
sfc /SCANFILE=%windir%\system32\catsrvut.DLL
sfc /SCANFILE=%windir%\system32\CLBCatQ.DLL
net start "COM+ Event System"

 

And here is the other:

cd /d %windir%\system32
net stop vss
net stop swprv
regsvr32 /s ole32.dll
regsvr32 /s oleaut32.dll
regsvr32 /s vss_ps.dll
vssvc /register
regsvr32 /s /i swprv.dll
regsvr32 /s /i eventcls.dll
regsvr32 /s es.dll
regsvr32 /s stdprov.dll
regsvr32 /s vssui.dll
regsvr32 /s msxml.dll
regsvr32 /s msxml3.dll
regsvr32 /s msxml4.dll
vssvc /register
net start swprv
net start vss

 

Validate that all necessary services on your DC are running when finished. I had to restart my DHCP server service, which was stopped in the process.

Thank you, J Turner, do all those commands fix this issue then: https://www.veeam.com/kb1697 ?

I can tell you that it fixed my issues, which were identical to what was in the original post. I had 5 events in cortex appear for each server, and veeam jobs were failing until I went through and ran these. Also to note I did update my servers with latest patches as well. 

  • 26683 Views
  • 55 replies
  • 10 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!