anivirusinfos.xml gets replaced after Veeam updates

[BennyDC]

Hi All,

Maybe something for the developers for a next release.
On the location \Program Files\Common Files\Veeam\Backup and Replication\Mount Service
We have the AntivirusInfos.xml file
What is used for malwares scan, antivirus, for SureBackup and etc...
After every upgrade this file get replaced.
First off all this one contains the simple basic Antivirus solutions like defender, symantec,eset.
There exist this day much more intelligent solutions.
For example we are using Sentinel One. I had to add myself the needed lines in there to have it working.
When this files get's overwritten after every upgrade that's a pain.
If you work in a small environment with only one VBR that's maybe easy to adapt.
So my suggestion please extend this with more recent and decent solutions as feature request.
As solution in between maybe not just overwrite or replace this file but keep a renamed for example as old.
So it can be easy replaced again with a correct working version.

Is anyone else experience this same kind of issue?

Thanks,
Benny

[mkretzer]

Indeed, just replacing the file is not a good idea. We finally got it working with Crowdstrike and forgot to take a backup of the file (and since the backup server itself is the only system that is not backed up by Veeam thats bad).

[Mildur]

Hi Benny

It's possible that the file gets overwritten. We can discuss enhancements for the upgrade process.

For example we are using Sentinel One. I had to add myself the needed lines in there to have it working.

Could you maybe share what you have added to the XML file? And are you sure that it was tested successfully? With actual viruses/malware on the machine.
I'm asking because we experienced issues with Sentinel One after initially claiming experimental support. It basically just don't work with Sentinel One.

Best,
Fabian

[rennerstefan]

Indeed I would be very interested to see the XML part for both CrowdStrike as well as SentinelOne as it might speed up QA process for additional default ones. Feel free to post it here or if you want to keep it hidden drop me a private message.
That would be very appreciated.
Thanks a lot

[BennyDC]

of course I could share but I did do that already in a post 3 or 2 years ago

Code: Select all

</AntivirusInfo>
	<!-- SentinelOne -->
	<AntivirusInfo Name='SentinelOne' IsPortableSoftware='false' ExecutableFilePath='%ProgramFiles%\SentinelOne\Sentinel Agent 23.4.4.223\SentinelCtl.exe' CommandLineParameters='%Path% /clean-mode=None /no-symlink' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SentinelAgent' ServiceName='SentinelAgent' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>1639</ExitCode>
			<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
		</ExitCodes>

[rennerstefan]

Thanks for re-sharing it. I knew the old post, just wasn't sure if your use still the same code. Will discuss with Sentinel if this can be supported.
Thanks

[BennyDC]

Thanks Stefan
I know is far from perfect actually the exist code 1639 I'm sure
and this command does run it for me.
But how decent it scans I don't know. Would be great if we would get this standard fixed.
What I also do feel a pain every time S1 upgrades the changes the foldername to the different version name
This can be maybe for security so it can be more difficult to find but that means each time there is an update I also need to change the foldername in the xml.
How S1 overall preforms at this moment I have no complains about that

Thanks

[andre.simard]

Indeed, just replacing the file is not a good idea. We finally got it working with Crowdstrike and forgot to take a backup of the file (and since the backup server itself is the only system that is not backed up by Veeam thats bad).

I would really be interested in having the solution for Crowdstrike also.

Thank you!

[mkretzer]

I'll try to get get the configuration working again....

[BennyDC]

Has in the meanwhile someone else who is using Sentinel One tried the codes I used and maybe even modified them?