Another week, another BTP quirk: Behavioral threat detected (rule: sync.enable_safemode_on_next_reboot) spawned from VEEAM

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Another week, another BTP quirk: Behavioral threat detected (rule: sync.enable_safemode_on_next_reboot) spawned from VEEAM

We are observing VEEAM VeeamTransportSvc.exe being blocked by BTP and, thus, preventing backups from being started.


We are working on a temporary fix excluding path and cgo and the likes but this is the second week in a row that content updates are screwing, this time impacting operations.

 

Already filled a support case.

 

BR

55 REPLIES 55

just open https://knowledgebase.paloaltonetworks.com/

and type VEEAM the first option give you the KB

i got the new CU and that still block my app, i add the CGO for now.

 

Behavioral Threat Protection event on the rule sync.enable_safe... - Knowledge Base - Palo Alto Netw...

L1 Bithead

Yes, I updated to CU650-11590 and Veeam is still blocked.

I think that the VSS is still blocked and the relevant services need a restart as noted in a previous comment.

Yeah thanks, unfortunately the KB is "please do an alert exception" but given the services involved I would not do that.

Well the exception is just for this BTP rule which considering that is from two days ago I do believe is the best solution until they solve this issue on their side.

L1 Bithead

Yes, I've created the exception just for this rule and just applied to those machines backed up by Veeam...

L1 Bithead

Yeah I know but the "Boot in safe mode" abuse is all the rage right now and is actively used in the wild.
PA stated that a CU with the fix has been released so I'll rather wait for it to be acquired by the agents.

L0 Member

Hi,

CU650-11590 doesn't fix it for us 😞

still the same BCD operation

Unfortunately the fix still doesn't work, and I think the risk of not having an up-to-date AD backup is greater 😉

Relevant VEEAM Kb
https://www.veeam.com/kb1697

[....]
Many anti-virus solutions have developed modules that monitor and prevent access to the boot configuration data (BCD). These "boot protection modules" have been observed to prevent Veeam's Application-Aware Processing processing from working with Domain Controllers. During the backup job's Application-Aware Processing step, for Domain Controllers only, the BCD is temporarily modified to enable SafeBoot.
[...]

 

I restarted the server. Still didn't work.

Yesterday before any resolution was provided, I observed restarting the server did nothing but restarting the services did work. Don't ask me why.

L0 Member

FYi : I've uploaded the SUEX file (a json format file to be uploaded in the Policy Global Exceptions/Support Exception) provided by the PAN support, as I need the backups to run this week-end while we wait for PAN to get a proper fix

  • 26081 Views
  • 55 replies
  • 10 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!