Feature Request: installable Guesthelper against ransomware

Availability for the Always-On Enterprise

Feature Request: installable Guesthelper against ransomware

Veeam Logoby ak1 » Thu Sep 08, 2016 9:34 am

Hi,

we separated our Backup Network and some other Networks to protect our Servers against Ransomeware.
But to access the admin share for the Veeam Backup & Replication components (guesthelpertool, Backup Proxy Service, ...)
we need to open widely the following ports in the firewall:

CIFS:445
LDAP GC: 3268
Netbios LS:135
Netbios NS:137
Netbios SSN: 139
Netbios DGM: 138
RPC Dynamic Port: 1024-65535
Veeam Backup Proxy Service:6162
Veeam Installer Service: 6160
Veeam NFS RPC: 6161
Veeam NFS RPC Portmapper: 111
Veeam RPC Port 1:2049
Veeam RPC Port 2: 1058

for Example to access the MSSQL network, only port 1433 needed,
so ransomware can't access and encrypt any share from the other Networks.

Should be infected for some reason the backupserver, the backupserver can access all shares
and can also infect all Servers protected by Veeam.


My Feature Request:

Is it possible to install the guesthelpertools and an Update Agent manually
directly on the "Veeam protected Microsoft Windows Server" such as, for example, some antivirus manufacturer?

The Installed guesthelper and an Update Agent can run as Service as Local System Account or as Local Admin.
The Update agent can install and update the guesthelpertools and no Admin Share and Access is needed.

Now the ports are maybe limited to the following Ports:

Veeam Update Agent
Veeam Backup Proxy Service:6162
Veeam Installer Service: 6160
Veeam RPC Port 1:2049
Veeam RPC Port 2: 1058

Should be infected for some reason the backupserver, now only the Backupservers are encrypted and the other Networks are protected.
ak1
Lurker
 
Posts: 1
Liked: never
Joined: Mon Mar 16, 2015 12:03 pm
Full Name: Andreas

Re: Feature Request: installable Guesthelper against ransomw

Veeam Logoby Vitaliy S. » Wed Sep 21, 2016 11:59 am

ak1 wrote:Is it possible to install the guesthelpertools and an Update Agent manually
directly on the "Veeam protected Microsoft Windows Server" such as, for example, some antivirus manufacturer?

No, it is not possible, however network access to processed VMs is not required, you can failover to VIX-engine for accessing VMs with no network connection to the backup server.

Thank you for the feature request!
Vitaliy S.
Veeam Software
 
Posts: 19545
Liked: 1099 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot], Yahoo [Bot] and 33 guests