Another week, another BTP quirk: Behavioral threat detected (rule: sync.enable_safemode_on_next_reboot) spawned from VEEAM

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Another week, another BTP quirk: Behavioral threat detected (rule: sync.enable_safemode_on_next_reboot) spawned from VEEAM

We are observing VEEAM VeeamTransportSvc.exe being blocked by BTP and, thus, preventing backups from being started.


We are working on a temporary fix excluding path and cgo and the likes but this is the second week in a row that content updates are screwing, this time impacting operations.

 

Already filled a support case.

 

BR

55 REPLIES 55

Hi,

where is the SUEX?

Run this script as admin, and then you'll be able to retry your backups successfully:
net stop "System Event Notification Service" /y
net start "System Event Notification Service"
net stop "Background Intelligent Transfer Service" /y
net start "Background Intelligent Transfer Service"
net stop "COM+ Event System" /y
net start "COM+ Event System"
net stop "Microsoft Software Shadow Copy Provider" /y
net start "Microsoft Software Shadow Copy Provider"
net stop "Volume Shadow Copy"
net start "Volume Shadow Copy"
net start "System Event Notification Service"
net start "DFS Replication"
net start "DHCP Server"

 

L0 Member

Has anyone had an issue where several services fail to start after rebooting the DC following this error?  Our DC will not start the Windows event log, AD Web Services, DHCP server and a few other dependent services. 

L0 Member

Hello,

 

This has also been happening to our DCs, has there been a fix so far other than the KB article about adding an exclusion in the XDR console?

L0 Member

We are having this issue as well on our physical AD server and Veeam. Looks like content update 650-11758 resolved the issue for us. I just fired off a Veeam backup and I am 6 minutes in and receiving data. Backups were failing after 2 minutes before. 

Content Update 650-11758 has wroked for us, but we had to restart services as per this list from @jturner_storm7 

 

net stop "System Event Notification Service" /y
net start "System Event Notification Service"
net stop "Background Intelligent Transfer Service" /y
net start "Background Intelligent Transfer Service"
net stop "COM+ Event System" /y
net start "COM+ Event System"
net stop "Microsoft Software Shadow Copy Provider" /y
net start "Microsoft Software Shadow Copy Provider"
net stop "Volume Shadow Copy"
net start "Volume Shadow Copy"
net start "System Event Notification Service"
net start "DFS Replication"
net start "DHCP Server"

 

My colleagues shortened this by restarting "COM+ Event System" and letting that restart all the dependent services

 

With the CU and this restart our backups are now working.

L0 Member

Here also the content 650-11758 resolved the issue, in our situation there was no need to restart services after the new content was active to get the Veeam job going again.

L1 Bithead

The Veeam Backups are working again with Content Update 650-11758. (Backups from the VM Servers with Veeam  and Veeam Backup Agent for physical servers)

L1 Bithead

im  still getting many alerts from

Vulnerable driver 'WinRing0.sys' was loaded to the system - Behavioral threat detected (rule: sync.vulnerable_driver_loaded_WinRing0.sys)

and my CU 650-11758

this is stupid CU.

 

 

 

 

 

 

 

I'm also getting this, turns out it's Atera Agent causing the problem for me, and i have not been able to verify if it is a genuine threat or not.

L2 Linker

Is there any possibility to either fine-tune or completely disable this and similar signatures? This signature and "sync.vulnerable_driver_loaded_WinRing0.sys" prevented a update of different HP signed drivers on several systems.

  • 20177 Views
  • 55 replies
  • 10 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!