Antivirus scanning in Surebackup

[jonathonb]

Hello,

I am working on testing using the Malware scanner in the surebackup program to scan vm backups. I have added the code to the antivirusinfos.xml file but I keep getting an antivirus software was not detected?

Code: Select all

         <AntivirusInfo Name='Trend Micro' IsPortableSoftware='true' ExecutableFilePath='%ProgramFiles%\Trend Micro\Client Server Security Agent\Pccnt.exe' CommandLineParameters='%Path%' RegPath='' 
                  ServiceName='' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>2</ExitCode>
		</ExitCodes>
	</AntivirusInfo>

[Andreas Neufert]

The file need to include
<Antiviruses>
at the beginning and
</Antiviruses>
at the end.

Potentially restart of B&R needed and rescan of the managed server of the Mount Server.
As well please check that the mount server is selected correctly within the Repository and the Antivirus is present there.

[jonathonb]

Yep I only included the snippet of code for the trend section. I rebooted the server and tried it with no change.

I tried to scan using the same command line command and it worked fine.

[Gostev]

Did you put the new file on the mount server? If yes, then please open a support case for further troubleshooting, and note case ID here. Thanks!

[cdlane]

Was this ever resolved? I keep receiving "Error: Antivrus software not detected". How does it "detect" the software, purely by the path in antivirusinfos.xml?

[KLinville]

I have Symantec Endpoint Protection installed on my server but it is also stating that the antivirus was not detected. It is specifically calling out "Symantec Protection Engine" and the registry key and service name that is configured in the XML file do not match what Symantec Endpoint Protection created when it was installed.

I modified the key and service entries to point to the SEP key and service name but it still failed when trying to run the Veeam.Backup.Antivirus.Scan.exe from the command line.

This needs better documentation.

[KLinville]

I believe that I might have worked out a solution... at least for Symantec Endpoint Protection as the scanning agent.

Here is the code that I have in the XML file (compared to what was there by default):

Code: Select all

<AntivirusInfo Name='Symantec' IsPortableSoftware='false' ExecutableFilePath='%ProgramFiles%\Symantec.cloud\AntiVirus\SEPscan.exe' CommandLineParameters='/p:%Path%' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SepMasterService' ServiceName='SepMasterService' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
			<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
		</ExitCodes>
	</AntivirusInfo>

For me, the error of antivirus not being detected was accurate. The default ExecutableFilePath, RegPath, and ServiceName for Symantec were all incorrect. As best as I can tell, those were for Symantec Protection Engine which is NOT the same product as Symantec Endpoint Protection. Through some trial and error, I was able to locate the correct EXE and Registry/Service information to populate in those fields.

Now my SureBackup job is running and has kicked off an FLR mount to process the antivirus scan. I still have more testing to do before this is my final edit but at the moment it seems to be working as intended.

[KLinville]

I wouldn't normally triple post in a thread like this but my experimentation has proven to bubble up yet more useful information.

The previous code I posted does work but it is doing a full/deep scan of the drive. One of my VMs had been scanning for 21+ hours and was still going. That's not viable in a production environment so I needed to find a method of doing a Quick Scan instead. Symantec has more than a single EXE file to run scans from and I found that using the DoScan.exe file with the /C flag does trigger a Quick Scan and processed that same VM in less than 1 minute.

Here's the code that I used for that configuration (which will likely be how I leave it):

Code: Select all

<AntivirusInfo Name='Symantec' IsPortableSoftware='false' ExecutableFilePath='%ProgramFiles%\Symantec.cloud\EndpointProtectionAgent\DoScan.exe' CommandLineParameters='/ScanDir:%Path% /C' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SepMasterService' ServiceName='SepMasterService' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
			<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
		</ExitCodes>
	</AntivirusInfo>

[Gostev]

Symantec Protection Engine which is NOT the same product as Symantec Endpoint Protection

That is absolutely correct, these are two completely different products (even architecturally).

[KLinville]

We've now encountered a new issue at the same client. Antivirus has been switched from Symantec Endpoint Protection to Carbon Black Cb Defense and after making the necessary modifications to the Antivirusinfos.xml file to successfully point to the RepCLI.exe file and the CbDefense service... I'm getting an error that states that I do not have authorization to run the command.

I can run the command from the command prompt, manually. It's just from within the SureBackup job when it tells me that I don't have authorization. I received this message at the command line before adding in the AuthenticatedCLIUsers line to the Carbon Black config file so I'm confident that it is just a matter of kicking off the scan from a valid account.

I believe what I need to know now is which of the Veeam services is responsible for running the CLI commands so that I can modify the account that it runs as (most run as local system account) or if there is a way within the XML file of specifying credentials to run as.

[stefanengelmann]

support case id: 04070587

Hi there, i have the same problem with trendmicro xg.
want to use this vor veeam secure restore.
added the configuration to the antivirusinfos.xml on all mount servers and rebooted. but did not work. anyone who uses trendmicro and it works ?

error message: unable to perform malware scan: antivirus software was not detected on the backup repository mount server

<AntivirusInfo Name='Trend Micro' IsPortableSoftware='true' ExecutableFilePath='C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNT.exe' CommandLineParameters='%Path%' RegPath=''
ServiceName='' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
<ExitCode Type='Infected' Description='Virus threat was detected'>2</ExitCode>
</ExitCodes>
</AntivirusInfo>

if not who should i contact ? veeam support or trend micro support ?.

[foggy]

Hi Stefan, I'd check the paths and contact Veeam support for a closer look if everything seems to be correct.

[acatic]

KLinville's tip works; just ensure to use your own doscan.exe file path and not just copy his, as SEP version can be different.

[cedwards_BREMCO]

We've now encountered a new issue at the same client. Antivirus has been switched from Symantec Endpoint Protection to Carbon Black Cb Defense and after making the necessary modifications to the Antivirusinfos.xml file to successfully point to the RepCLI.exe file and the CbDefense service... I'm getting an error that states that I do not have authorization to run the command.

I can run the command from the command prompt, manually. It's just from within the SureBackup job when it tells me that I don't have authorization. I received this message at the command line before adding in the AuthenticatedCLIUsers line to the Carbon Black config file so I'm confident that it is just a matter of kicking off the scan from a valid account.

I believe what I need to know now is which of the Veeam services is responsible for running the CLI commands so that I can modify the account that it runs as (most run as local system account) or if there is a way within the XML file of specifying credentials to run as.

KLinville, did you ever get this working with CB Defense? I think I've got all the settings correct, but I'm not sure what to put for ThreatExistsRegEx.

Thanks

[cedwards_BREMCO]

Here are the settings Carbon Black support gave me to try:

Please be informed that we don’t claim to have this integration with Veeam and never tested the steps from their KB article with our product so we don’t have exact values to use. However we suggest the following values for the XML file provided in Veeam’s article and hoping this will help.

AntivirusInfo Name - CB Defense
IsPortableSoftware - false (not portable)
ExecutableFilePath - C:\Program Files\Confer\RepMgr.exe
CommandLineParameters - ondemandscan and path
ServiceName - CbDefense
RegPath - \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbDefense
ThreatExistsRegEx - Put this value empty as Kaspersky Security
IsParallelScanAvailable - false
Exit Code - no

[KLinville]

This is what I have successfully used for Carbon Black scanning with SureBackup. Although, I've not ever encountered an infection detected so I'm not sure that the exit code are 100% accurate.

Code: Select all

<Antiviruses>
	<AntivirusInfo Name='Cb Defense' IsPortableSoftware='false' ExecutableFilePath='%ProgramFiles%\Confer\RepCLI.exe' CommandLineParameters='ondemandscan %Path%' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbDefense' ServiceName='CbDefense' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
			<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
		</ExitCodes>
	</AntivirusInfo>	
</Antiviruses>

[KLinville]

I'm trying to use the same config for SentinelOne scanning and it is partially working, so far. However, I'm getting an error with Exit Code 1 that is causing the job to fail. According to the SentinelOne site, there are only two exit codes; 0 = success, non-Zero = failure. I'm still trying to get that worked out with useful logging to resolve whatever the problem is.

Code: Select all

<Antiviruses>
	<AntivirusInfo Name='SentinelOne' IsPortableSoftware='false' ExecutableFilePath='%ProgramFiles%\SentinelOne\Sentinel Agent 21.5.3.235\SentinelCtl.exe' CommandLineParameters='scan_folder -i %Path%' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SentinelAgent' ServiceName='SentinelAgent' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
			<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
		</ExitCodes>
	</AntivirusInfo>	
</Antiviruses>

[mjkellerii]

The Code above listed for Carbon Black is not working for me. The scans are failing with "Invalid command line argument errors". Does anyone have Carbon Black working?