reminder on AV exceptions with Veeam 9.5

[ashleyw]

hey guys, just a heads up.

We had been battling to trace heavy CPU utilisation on our Re-FS layer (only during active full) since upgrading to 9.5 and all our infrastructure to Windows 2016 server.

Finally after much thrashing around trying to understand why the System task (NT Kernel & System) was flat lining and killing our Re-FS layer we finally realised on our previous architecture eon Server 2012R2 we had no AV installed whereas Server 2016 has AV installed by default, so a quick google took us to;
https://www.veeam.com/kb1999

Once we put in the exceptions, our system was stable through an active full backup again.
hopefully you guys won't overlook this like we did!

cheers
Ashley

[Gostev]

Excellent tip, thanks for sharing Ashley!

[SYSADMIT]

In reference to what you mention:

I have published in my blog how to uninstall Windows Defender or how to configure the exclusions following the paths and files of the Veeam KB using PowerShell:
https://www.sysadmit.com/2018/06/veeam- ... Shell.html

You can "copy-paste" the cmd-lets.

Regards!

[jim3cantos]

@Gostev, I see that I can understand Italian perfectly...

Xabier, thanks for the tips!

...After executing powershell commands don't forget to include the paths for backup files in case of repositories.

[pigletjuggler]

I believe the link provided regarding setting MSDefender exceptions via PowerShell contains some incorrect information.

The set-mppreference -exclusionprocess is fine for the exe files, but it shouldn’t contain the *.vmdk and *.flat. If you’re trying to exclude those file types, it should be done with set-mppreference-exclusionextension.

Please correct me if I’m wrong, but bearing that in mind, it should be something like this:

Code: Select all

#Exclude VEEAM from Defender
Set-MpPreference -ExclusionExtension ".vmdk", ".flat"
Set-MpPreference -ExclusionProcess "VeeamAgent.exe", "VeeamAgent64.exe"
Set-MpPreference -ExclusionPath "C:\Program Files\Veeam", "C:\Program Files (x86)\Veeam","C:\Program Files\Common Files\Veeam","C:\Program Files (x86)\Common Files\Veeam", "C:\VBRCatalog","C:\ProgramData\Veeam\Backup\NfsDatastore","C:\VeeamFLR","C:\Windows\Veeam","C:\programdata\Veeam","C:\Windows\VeeamVssSupport","C:\Windows\VeeamLogShipper"

Don’t forget that the paths in there should reflect what the actual environment has… not the defaults. I’d also venture to guess that the temp extension should be added to the exception list as well to boost cleanup and merge processes.

[SYSADMIT]

Hi @pigletjuggler. It is right.

Thank you very much for the contribution, I have updated the post with the information you mention:

https://www.sysadmit.com/2018/06/veeam- ... Shell.html

By default "Windows Defender" does not scan file extensions: VMDK or FLAT, because for "Windows Defender" they are unknown extensions, however it is a good idea to exclude them as extensions as marked by the Veeam KB and not exclude them as processes.

[SYSADMIT]

If the computer where Veeam is installed is joined to an Active Directory domain, we can use a computer Group Policy (GPO) to set Windows Defender exclusions.

In the following link, we can find the GPO location in English and Spanish:

https://www.sysadmit.com/2018/10/veeam- ... r-gpo.html

The GPO will take effect if the operating system where the GPO is applied has at least Windows Server 2012.