Hello,
I am a proud user of Veeam since version 5, and after reading many posts by our dear Gostev I would like to know if anyone has tried to install on file servers the RACCINE project :
We register a debugger for vssadmin.exe (and wmic.exe), which is our compiled raccine.exe. Raccine is a binary, that first collects all PIDs of the parent processes and then tries to kill all parent processes.
It seems very interesting, and even if it is not directly Veeam related, I think it is in the same spirit as having good backups...
So if someone has tested a veeam backup of a Windows server equiped with Raccine, please give us a feedback!
It's an interesting project, but I've usually advised my clients against using disk shadow backups in conjunction with image level backups. I see it as just a waste of space in most cases, and especially with Veeam, the file level restores are pretty fast and further more are easier to delegate to non-privileged users.
But if you're using them, probably it's fine? I suppose this is for non-volatile disk shadows and that it ignores those set with the volatile flag (which I think backup apps like Veeam use?)
Thank you for taking time to answer. I have quite a few clients adding on top of veeam backups hourly volume snapshots, it does not cost much ressource nor space.
I'm interested in putting any countermeasures available (waiting eagerly for immutable backups on XFS) and it seemed like a good solution.... but as I don't have a lab handy, I'm not sure the fact of blocking vssadmin snapshots that could be used by veeam application aware snapshots (maybe?)
You won't be able to run commands that use the blacklisted commands on a raccinated machine anymore until your apply the uninstall patch raccine-reg-patch-uninstall.reg. This could break various backup solutions that run that specific command during their work. It will not only block that request but kills all processes in that tree including the backup solution and its invoking process.
If you have a solid security monitoring that logs all process executions, you could check your logs to see if vssadmin.exe delete shadows or vssadmin.exe resize shadowstorage ... is frequently or sporadically used for legitimate purposes in which case you should refrain from using Raccine.
If someone tests I'll be thankful for having my mind set in the incuity of Raccine on Veeam's backups.