Antivirus XML Configuration File for CrowdStrike Falcon Sensor

[zacharylee]

Hello everyone,

I would like to create an antivirus XML configuration file for our company's antivirus program, CrowdStrike Falcon Sensor. I notice that in the Veeam help center, the default configuration file "only" has configurations for Symantec Protection Engine, ESET, Windows Defender, and Kaspersky Security 10. https://helpcenter.veeam.com/docs/backu ... ml?ver=110

We want this so that we can enable the antivirus scan option within our SureBackup jobs.

I approached our IT SecOps team, who then approached our third-party security provider, who then in turn approached CrowdStrike with the request. It turns out that CrowdStrike has not yet supported this/does not know of the solution for any customer.

I opened a Veeam case (05273309) and the support agent informed me that Veeam does not create custom scripts of configuration files. But he suggested that I open a case here on the Veeam forums to see if other users have faced the same thing and have a solution.

Does anyone have experience with creating the antivirus XML configuration file for a non-default antivirus program such as CrowdStrike?

[Andreas Neufert]

When the vendor support a command line interface for scanning of files and gives back feedback on this, then it is not complicate to write this. It is usually a one liner for the command and some configuration + text for the UI when virus or no virus found.

https://helpcenter.veeam.com/docs/backu ... ml?ver=110

If CrowdStrike is interested to help you with this, let me know here and we can chat about the right contact details. There is even an option to integrate them in one of the next versions if they are willing to help with this.

[zacharylee]

Hi Andreas,

Many thanks for your fast response.

I have emailed our IT SecOps team with this information for them to relay to CrowdStrike. Unfortunately in the position I am in, I need to go through them, they need to go through our 3rd-party who then goes to CrowdStrike. In case this thread becomes inactive/disabled before they respond, is there a support engineer that I would be able to email once I get someone from CrowdStrike lined up after working with our internal security guys?

[Andreas Neufert]

Just PN me here in the forum.

[zacharylee]

Per CrowdStrike support:

"The EDR (Endpoint Detection and Response) solution from CrowdStrike does not work like traditional AV solutions.
Traditional AV products hook the file system via low-level drivers in order to enable the on-access scanning (OAS) of files written to and/or read from storage - interrupting those same writes as part of the process - hence the concern about file contention with other applications and potential data corruption, and thus the need for scanning exclusions in such products.

CrowdStrike on the other hand doesn’t scan files at rest. Instead it looks at executing processes for malicious activities.
"
Our company will be trying to integrate Windows Defender in conjunction with CrowdStrike as the next measure for trying to implement this feature within SureBackup.

[Andreas Neufert]

Just PM me here in the forum.

[JZeigler]

I would be very interested if you have been able to make Crowdstrike work with Surebackups or if you have figured out how to make Microsoft Defender work in conjunction with Crowdstrike. Would you mind informing me on how you were able to make this happen?

[zacharylee]

Hi JZeigler,

In our case, as long as Windows Defender is enabled on the backup server + mount server, then Veeam will know to use Windows Defender with the default settings. We did not find a way to make CrowdStrike work with SureBackup.

[rennerstefan]

Hi JZeigler,

CrowdStrike on the other hand doesn’t scan files at rest. Instead it looks at executing processes for malicious activities.

This is the correct answer, to get scanner work with SecureRestore and SureBackup they would need to have a cli based scan engine available which some of the new ones don't have anymore as they don't scan files but monitor the process execution.

With that, Crowdstrike can't work today with SecureRestore.

Thanks

[smannix]

Hello,

CrowdStrike now has a CLI scanner CSScanCLI.exe, but they have you rerun the command with a --status command and optional status ID (no ID returns all scan results).
They did say that the results are sent to their console.
Is there a way to get Veeam to run the status command afterward and report the results?

Thanks

[rennerstefan]

Hi

Thanks for the update on CSScanCLI.exe.
No, currently there is no way to re-check a status with a second command after initial scan started.

I’ll take your feedback into some discussions.

Thanks

[danielmx1]

Hello Stefan.

Hey is there an update regarding your latest comment?

Thanks.

[rennerstefan]

Hi Daniel,

No update as of today.
But we are regulary reviewing additional vendors to potentially add to the default XML.

Will update here once there are news.