Secure restore

roelvdw · Post by **roelvdw** » Feb 05, 2019 8:20 pm this post

Hi

We use in our environment Kaspersky EndPoint Security and Kaspersky Security for Windows Servers.
I wanna test secure restore functionality with Kaspersky Security .
Does anyone have experience with Configuring the antivirus file for Veeam B&R to test secure restore ?

Kind regards

Roel

Post by **Mike Resseler** » Feb 06, 2019 6:34 am this post

Roel,

I've done a bit of digging but can't find exactly if commandline is supported for Endpoint Security. Only found something for version 10 for windows servers (https://support.kaspersky.com/11336#). So you might want to check if that avp.com exists on your servers.

If so, just adapt the XML file as seen here (https://helpcenter.veeam.com/docs/backu ... l?ver=95u4)

Mike

roelvdw · Post by **roelvdw** » Feb 06, 2019 9:10 am this post

Hi Mike

No avp.com is not installed on Servers.
If i can install it > can you send me antivirusinfo.xml file adjusted for this AV

Kind regards

Roel

Post by **HannesK** » Feb 06, 2019 4:06 pm this post

Hello,
I guess you have a "all in one" installation. That means avp.com needs to be installed on the Veeam Backup server.

Then I suggest that you try to scan manually on command line (how-to). Example "avp.com scan <file / folder>" and check whether everything works. The eicar test virus is an easy way to check.

After you figured out the syntax, just change the settings in the XML file from one of the existing examples in the file.

Best regards,
Hannes

roelvdw · Post by **roelvdw** » Feb 06, 2019 5:30 pm this post

Hi Hannes

avp.com is only Kaspersky EndPoint Security (clients) .
For servers > Kaspersky Security for Windows Server .
On most of my servers Kaspersky Security for Windows Servers is installed also on Veeam Backup Server.
I have added the commands in antivirusinfo.xml (for Kaspersky EndPoint Security & Kaspersky Security for Windows Server .
Do i have to restart services after editing Antivirusinfo file ?

Post by **HannesK** » Feb 07, 2019 8:37 am this post

Hello,
as far as I remember when I tested it some months ago, it is not required to restart any service. I will ask the documentation whether they can add that information.

Best regards,
Hannes

roelvdw · Post by **roelvdw** » Feb 09, 2019 2:32 pm this post

Hi Hannes

I have adjusted the XML file .
But when i test secore Restore > i get message that malware scan is not available

Post by **Mike Resseler** » Feb 11, 2019 6:23 am this post

Roel,

Without any guarantees that it will work (I can't test because I don't have Kaspersky). Could you post what you have added to the XML file? We might see something in it that is not correct.

roelvdw · Post by **roelvdw** » Feb 12, 2019 1:58 pm this post

Hi

I haved added the text of xml file above

Code: Select all

<Antiviruses>
	<AntivirusInfo Name='Symantec' IsPortableSoftware='false' ExecutableFilePath='Veeam.Backup.Antivirus.Scan.exe' CommandLineParameters='/p:%Path%' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\symcscan' ServiceName='symcscan' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
			<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
		</ExitCodes>
	</AntivirusInfo>
<Antiviruses>
	<AntivirusInfo Name='Kaspersky Security 10 for Windows Server' IsPortableSoftware='false' ExecutableFilePath='c:\Program Files (x86)\Kaspersky Lab\Kaspersky Security 10 for Windows Server\kavshell.exe' CommandLineParameters='scan /mycomp' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KAVFS' ServiceName='KAVFS' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
			<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
		</ExitCodes>
	</AntivirusInfo>
<Antiviruses>
<Antiviruses>
	<AntivirusInfo Name='Kaspersky Security 10 for Windows Server' IsPortableSoftware='true' ExecutableFilePath='c:\Program Files (x86)\Kaspersky Lab\Kaspersky Security 10 for Windows Server\kavshell.exe' CommandLineParameters='scan /mycomp' RegPath='' ServiceName='' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
			<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
		</ExitCodes>
	</AntivirusInfo>
<Antiviruses>
	<AntivirusInfo Name='Kaspersky Endpoint Security for Windows' IsPortableSoftware='true' ExecutableFilePath='c:Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.com' CommandLineParameters='scan /all' RegPath='' ServiceName='' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
			<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
		</ExitCodes>
<AntivirusInfo Name='Kaspersky Endpoint Security for Windows' IsPortableSoftware='false' ExecutableFilePath='c:Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.com' CommandLineParameters='scan /all' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVP' ServiceName='AVP' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
			<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
		</ExitCodes>
	</AntivirusInfo>
	<AntivirusInfo Name='Eset File Security' IsPortableSoftware='true' ExecutableFilePath='%ProgramFiles%\ESET\ESET File Security\ecls.exe' CommandLineParameters='%Path% /clean-mode=None /no-symlink' RegPath='' ServiceName='' ThreatExistsRegEx='threat\s*=\s*["&apos;](?!is OK["&apos;])[^"&apos;]+["&apos;]' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>1</ExitCode>
			<ExitCode Type='Warning' Description='Some files were not scanned'>10</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>50</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>100</ExitCode>
		</ExitCodes>
	</AntivirusInfo>
	<AntivirusInfo Name='ESET Antivirus' IsPortableSoftware='true' ExecutableFilePath='%ProgramFiles%\ESET\ESET Security\ecls.exe' CommandLineParameters='%Path% /clean-mode=None /no-symlink' RegPath='' ServiceName='' ThreatExistsRegEx='threat\s*=\s*["&apos;](?!is OK["&apos;])[^"&apos;]+["&apos;]' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>1</ExitCode>
			<ExitCode Type='Warning' Description='Some files were not scanned'>10</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>50</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>100</ExitCode>
		</ExitCodes>
	</AntivirusInfo>
	<AntivirusInfo Name='Windows Defender' IsPortableSoftware='false' ExecutableFilePath='%ProgramFiles%\Windows Defender\mpcmdrun.exe' CommandLineParameters='-Scan -ScanType 3 -File %Path% -DisableRemediation -BootSectorScan' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend' ServiceName='WinDefend' ThreatExistsRegEx='Threat\s+information' IsParallelScanAvailable='false'>
		<ExitCodes>
			<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
			<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
			<ExitCode Type='Infected' Description='Virus threat was detected'>2</ExitCode>
		</ExitCodes>
	</AntivirusInfo>
</Antiviruses>

Post by **HannesK** » Feb 12, 2019 2:11 pm this post

Hello,
I don't believe that it is a good idea to add the scanners twice with the same name

Code: Select all

<AntivirusInfo Name='Kaspersky Security 10 for Windows Server' IsPortableSoftware='false'
<AntivirusInfo Name='Kaspersky Security 10 for Windows Server' IsPortableSoftware='true'

Code: Select all

<AntivirusInfo Name='Kaspersky Endpoint Security for Windows' IsPortableSoftware='true'
<AntivirusInfo Name='Kaspersky Endpoint Security for Windows' IsPortableSoftware='false'

trying both ways makes sense to me, but with the same name that could be an issue.

Best regards,
Hannes

roelvdw · Post by **roelvdw** » Feb 12, 2019 3:19 pm this post

Hi Hannes

Kaspersky EndPoint Security & Kaspersky Security 10 for Windows Server works both from command line.
Do i have choose for "IsPortableSoftware=true" ?

Kind regards

Roel

Post by **HannesK** » Feb 12, 2019 3:27 pm this post

Hello,
I understand, but I guess our software cannot deal with two identical names (Name=...). Just try to rename them and if you keep both options for both scanners, then something should work.

I can only guess as I don't have the software. I would just try both (as you already do).

Best regards,
Hannes

Post by **Mike Resseler** » Feb 12, 2019 7:27 pm this post

Roel,

IsPortableSoftware is probably false. I assume it is installed, as I see entries for a service.

That said, are all of those different ones installed on the server? I see potential issues with the server version and the workstation version being installed on that server? In the end, we use the service running on the server that will execute the datalab.

roelvdw · Post by **roelvdw** » Feb 12, 2019 8:16 pm this post

Hi Mike

Do you mean it could be a problem that i have entry for EndPoint and servers ? Kaspersky Security 10 for Windows Servers command line is with kavshell.exe command. Directory is c:\program files (x86)\Kaspersky Lab\Kaspersky Security 10 for Windows Server. but there is also a service for Kaspersky .

What do i have to choose > isportablesoftware=false or true.
The Manuel says > true when exe is available. False when there is service

Post by **Mike Resseler** » Feb 12, 2019 8:21 pm this post

I am assuming you will be running the server version on the server responsible for mounting the backup? If so, use the server version. And I think, that it will be a service so isportablesofware=false

If you make the changes, let us know how it looks then

roelvdw · Post by **roelvdw** » Feb 15, 2019 4:34 pm this post

Hi Mike

I have changed thé XML file.
It detects Kaspersky on server and start scanning but it failed with exitcode -6 unknown command

Post by **Mike Resseler** » Feb 18, 2019 6:51 am this post

I just tried to find some documentation on those error codes but not really successful. Any change you are registered on their forums or have a support contract? That might be the quickest way to figure out what each exit code means.

roelvdw · Post by **roelvdw** » Feb 18, 2019 5:11 pm this post

Hi Mike

Error code -6 means unknown command.
Some wrong argument in command or not Wright command

Post by **Mike Resseler** » Feb 19, 2019 7:10 am this post

OK. Could you post the data you have in the XML command again? Might be a little error inside. If I can't see it, we might need to create support call.

roelvdw · Post by **roelvdw** » Feb 19, 2019 10:15 am this post

Hi I haved added this to XML file.

<AntivirusInfo Name='Kaspersky Security 10 for Windows Server' IsPortableSoftware='true' ExecutableFilePath='C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security 10 for Windows Server\kavshell.exe' CommandLineParameters='%Path% SCAN /FIXDRIVES /FA /AI:AUTO /AS:AUTO' RegPath='' ServiceName='' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type="Error" Description='Verkeerd commando'>-6</ExitCode>
<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
</ExitCodes>
</AntivirusInfo>

i get error -6 unknown command

I have also created a case with support last week
Case # 03408740

kind regards

YouTube · Post by **MichaelCade** » Feb 19, 2019 10:39 am this post

Thanks I will keep an eye on the support case.

roelvdw · Post by **roelvdw** » Feb 19, 2019 10:44 am this post

Hi Michael

I am already a step further in scanning.
The C drive scan completed but the other part of c drive gives error -83 > means unchecked object founds.

I also created a request on kaspersky forum. Keep you posted what Kaspersky saying about this error µµ

https://forum.kaspersky.com/index.php?/ ... ent-330273

roelvdw · Post by **roelvdw** » Feb 19, 2019 1:49 pm this post

there was error in the command parameters .

this is the wright command
<AntivirusInfo Name='Kaspersky Security 10 for Windows Server' IsPortableSoftware='true' ExecutableFilePath='C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security 10 for Windows Server\kavshell.exe' CommandLineParameters='SCAN %Path% /FIXDRIVES /FA /AI:AUTO /AS:AUTO' RegPath='' ServiceName='' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type="Error" Description='Verkeerd commando'>-6</ExitCode>
<ExitCode Type='Success' Description='No threats detected'>0</ExitCode>
<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
</ExitCodes>
</AntivirusInfo>

but get errorcode -83 > unchecked objects found

Post by **Mike Resseler** » Feb 20, 2019 6:37 am this post

Roel,

I'm guessing here... That backup that you are scanning... Any change it has already quarantined objects in it?

roelvdw · Post by **roelvdw** » Feb 20, 2019 7:00 am this post

Hi Mike

No quarantained files Found
Only unknown objects

Post by **Dima P.** » Feb 20, 2019 6:49 pm this post

Hello Roel,

For the test purposes can you please make CommandLineParameters more lightweight?

1. I assume you don't need to use SCAN (as you would like to scan all the volumes in the backup and all the files are online anyway, right?)
2. FIXDRIVES, let's leave it

/FA /AI:AUTO /AS:AUTO

Do you have any description to share with me for these command line keys?

When you have zero command line keys specified does it scan all the volumes in from the backup? Thank you in advance!

roelvdw · Post by **roelvdw** » Feb 20, 2019 7:19 pm this post

Hi Dima

This is the Kaspersky Manual
https://kaspersky.aeminiummultimedia.pt ... ide_en.pdf

1) yes i think i Need the scan command.
2) ok i leave fixdrives parameter

What do you mean with the last ?
Which command do i have to use then > only scan %path% \ fixdrives ?
Other parameters are \Scancritical in place of scan . Or scan \memory \shared \mycomp ...

You can Find all commands in the manual

Kind regards

Roel

Post by **Dima P.** » Feb 20, 2019 8:39 pm this post

Code: Select all

KAVSHELL SCAN C:\VeeamFLR\

Looks like this is the only key needed for CommandLineParameters is path the folder (it will point the scan to the predefined folder where we mount disks from backup file). Can you please try this command line parameter? Cheers!

roelvdw · Post by **roelvdw** » Feb 20, 2019 8:57 pm this post

Hi Dima

Ok i gonna try it out tomorrow.

roelvdw · Post by **roelvdw** » Feb 21, 2019 4:48 pm this post

Hi Dima

I changed commandlineparameter to
<'SCAN %Path% c:\VeeamFLR '>

It works.

For Surebackup > do i have to change thé parameters? Or does scan Surebackup automatically the Wright volumes ?

R&D Forums

Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Re: Secure restore

Who is online