Repository with controlled folder access not working after update SP4b

[Ben.online]

Hello

After installing update 9.5SP4B build 2866 we are having issues with our repository and security
The repository is build using these guideline's https://www.veeam.com/videos/ransomware ... 14263.html and this was working for months without issue.
But now the backups are failing with error: Processing XXXXX Error: The system cannot find the file specified. Failed to create or open file [D:\Backups\Test Backup_1\Test BackupD2020-03-14T085940_28D0.vrb]
Failed to open storage for read/write access. Storage: [D:\Backups\Test Backup_1\Test BackupD2020-03-14T085940_28D0.vrb]
The repository can be rescanned added changed etc Veeam just can't write files there.
When controlled folder access is disabled the issue is resolved, and Veeam can backup without any problem so issue found .

From the start we had the exclusions and allowed applications from the guide configured, but with SP4b that seems no longer to be enough.
I've updated the exclusion etc using the https://www.veeam.com/kb1999 as this was updated after configuration article but still no luck.
A blocked or audited event should trigger id 1123 or 1124 in the Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder.
But non of these events have been triggered there ever.

Does anyone have a Windows repository with Veeam version 9.5SP4B or higher and controlled folder access/Windows Defender Exploit Guard enabled?
And if so what exclusions and or allowed apps need to be configured?

Case # 04061372

[foggy]

Hi Ben, I can see that your support case is already closed. I would though recommend investigating the reasons of why it doesn't work with the exclusions configured properly according to the KB article. Btw, have you reviewed the AV logs for some insights on what's blocked? The strange thing it doesn't log corresponding events in Event Viewer...

[Ben.online]

Hello Foggy, yes the case is closed because the issue was found and it was not Veeam causing it.
I just expected that review/adding the exclusions would also fix the issue with CFA enabled.
It turns out that is not the case.
Also i think it is not related to the av and therefor the scan exclusions might not do anything here, because AV(windows defender) stays enabled it is only controlled folder access that needs to be disabled to make Veeam work again.
The weard thing is that an update triggerd it but the veeam processes on a repository have not changed. not that i can find atleast

Case # 04061372

[foggy]

Here's another thread related to CFA - though it is for Veeam Agent for Windows but it mentions some additional folder exclusions that might help.

[Ben.online]

@foggy
Got the issue solved and everything is working ok now
These settings should be enough:

Code: Select all

Set-MpPreference -EnableControlledFolderAccess Enabled
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\Program Files (x86)\Veeam\backup Transport\VeeamTransportSvc.exe"
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\Program Files (x86)\Veeam\backup Transport\x64\VeeamAgent.exe"
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\Program Files (x86)\Veeam\backup Transport\x86\VeeamAgent.exe"
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\Program Files (x86)\Veeam\vPowerNFS\VeeamNFSSvc.exe"
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\Program Files\Common Files\Veeam\Backup and Replication\Mount Service\Veeam.Backup.MountService.exe"

Add-MpPreference -ControlledFolderAccessProtectedFolders "c:\yourRepository"

And next to that use https://www.veeam.com/kb1999 to configure antivirus scanning exclusions

i think i found the original cause
When adding the veeamagent.exe and veeamagent64.exe to the antivirus exclusions (Add-MpPreference -ExclusionProcess) it also adds these to the controlled folder access list exclusions (Add-MpPreference -ControlledFolderAccessAllowedApplications )
But is does not work as just a .exe with no full path. Till the update sp4b veeamAgent.exe was not blocked by cfa
Now it needs the paths to to veeamAgent.exe's to function


The issue that cfa is not loggin any events seems a MS thing:
https://answers.microsoft.com/en-us/pro ... 260a601a8a

Case # 04061372

[koenteugels]

Hello I have a windows 2019 version 1806 (build 17763.1282) and veeam 10 P2 and when activating controlled folder access.
Iit ia a all in one box so VBR server + proxy + repository server. I added the defender antivirus exclusions and all the application exe, but it still doesn't work, I don't see anything in de windows defender logs
Any idea's

The configuration and normal backups are failing with error: Error Could not find file 'D:\VeeamData\VeeamConfigBackup\XXX-XXXX\XXX-XXXX_2020-06-27_10-30-17.bco'.

[LOGS REMOVED]

The repository can be rescanned added changed etc Veeam just can't write files there.
When controlled folder access is disabled the issue is resolved, and Veeam can backup without any problem so issue found

[veremin]

Kindly, do not include debug log snippets in forum posts, as per forum rules provided when you click New Topic. Instead, please open a separate ticket, upload the entire debug logs package there, and provide the case ID number with the post (this is mandatory when posting about any technical issues). Thanks!