SureBackup Sentinel ONe

[BennyDC]

Hi,

We are planning to use Sentinel One as virus solution.
For SureBackup for the antvirus check I modified before the AntivirusInfos.xml
Does anyone know or has expierince to modify it for Sentinel One?

Thanks,
Benny

[Dima P.]

Hello Benny,

Unfortunately we do not provide out of the box configuration for Sentinel One solution. However, if it has command line interface you can adjust the existing config file on the Veeam B&R mount server to make it work: Antivirus XML Configuration File. Thank you!

[BennyDC]

I did the ExecutableFilePath and the RegPath configurered.
In Surebackup it recignize now the product and does the scan and continues with the rest of the job.
However I get an error on the exist codes
What I did use from the previous AV as I don't find a list with the codes for Sentinel One
Can someone help me with this

Thanks,
Benny

[Dima P.]

Hello Benny,

Can you please share your AntivirusInfos.xml configuration with Sentinel One parameters? Thank you!

[BennyDC]

HI,

Below is what I did modify in the antivirusinfos.xml.
But I'm only sure about exit code 1639 ''No threats detected'
I din't find any information about the other exit codes

<Antiviruses>
<AntivirusInfo Name='SentinelOne' IsPortableSoftware='false' ExecutableFilePath='C:\Program Files\SentinelOne\Sentinel Agent 22.1.4.10010\SentinelCtl.exe' CommandLineParameters='%Path% /clean-mode=None /no-symlink' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SentinelAgent' ServiceName='SentinelAgent' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='No threats detected'>1639</ExitCode>
<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
</ExitCodes>

[hexadecimal]

Were you successful in getting S1 working? We're still using Windows defender on our Veeam servers but would like to migrate to S1.

[Dima P.]

Thank you for sharing! Folks have your tried it for the periodic check in the Virtual Lab or you use it during Secure Restore?

[BennyDC]

Were you successful in getting S1 working? We're still using Windows defender on our Veeam servers but would like to migrate to S1.

Yes i'm using this now for a year since we moved from SEP to S1

[BennyDC]

Thank you for sharing! Folks have your tried it for the periodic check in the Virtual Lab or you use it during Secure Restore?

I'm using it for Sure-Backup Where we periodic check vms in the virtual lab for ping, virus and validation

[Gostev]

@Dima P. can we integrate this into the default definitions? Alongside with Windows Defender etc.

[Dima P.]

Yes, it's already scheduled. Thank you for the feedback guys!

[samon90]

Hi,

I want to try to use S1 as AV scanning in Surebackup.

Sentinel has been recoginzed but after 9 seconds surebackup indicates " scanning completed".

Before the Surebackup jobs scanning was by Kaspersky and took some hours.

How can we solved the scanning issue?

[Dima P.]

samon90,

Veeam B&R does not control how the scan is actually performed by the AV (it mounts the content, triggers the command and waits for the exit code to be received). Can you check the logs of the S1 and to verify that content was actually scanned? Thanks!

[thomas.biesmans]

Seems like this isn't working anymore in newer versions. First of all the command above does not work, the args have to be changed to "CommandLineParameters='scan_folder -i %Path%'", otherwise you get an overview of options (and a dumb 1639 exit code):

Code: Select all

[24.05.2023 14:27:15.481] <108> Info         Begin scan process: ExecutablePath = [C:\Program Files\SentinelOne\Sentinel Agent 22.3.4.612\SentinelCtl.exe] Args = ["C:\VeeamFLR\TE-FIL02_35e08b1b\Volume0" /clean-mode=None /no-symlink].
[24.05.2023 14:27:15.778] <51> Info         Usage:
[24.05.2023 14:27:15.778] <51> Info         	abort_scan    	Abort the active on-demand scan
[24.05.2023 14:27:15.778] <51> Info         	agent_id    	Print agent ID
[24.05.2023 14:27:15.778] <51> Info         	bind    	Bind this agent to a management instance using a registration code
[24.05.2023 14:27:15.778] <51> Info         	config_collect_dumps    	Enable or disable agent dumps collection ( -e enable -d disable )
[24.05.2023 14:27:15.778] <51> Info         	configure    	Show agent's configuration (no parameters). Update agent's configuration (-k <verification key> -p <configuration parameter> -v <new value>. 
[24.05.2023 14:27:15.778] <51> Info         	configure_proxy_credentials    	Configure management or deep visibility proxy credentials
[24.05.2023 14:27:15.778] <51> Info         	create_agent_analyzer_report    	Create agent analyzer report
[24.05.2023 14:27:15.778] <51> Info         	customer_id    	Print and set customer identifier
[24.05.2023 14:27:15.778] <51> Info         	disable_agent    	Enter disable-mode
[24.05.2023 14:27:15.778] <51> Info         	enable_agent    	Exit disable-mode
[24.05.2023 14:27:15.778] <51> Info         	get_current_locations    	Get current agent location IDs
[24.05.2023 14:27:15.778] <51> Info         	get_fw_control_rules    	Export to xml file the current list of FW control rules
[24.05.2023 14:27:15.778] <51> Info         	get_sv_server    	Get the configured SV server URL
[24.05.2023 14:27:15.778] <51> Info         	help    	Print this message
[24.05.2023 14:27:15.778] <51> Info         	is_scan_in_progress    	Print if a scan is in progress
[24.05.2023 14:27:15.778] <51> Info         	load    	Load Agent services
[24.05.2023 14:27:15.778] <51> Info         	mark_as_threat    	Mark group as threat
[24.05.2023 14:27:15.778] <51> Info         	protect    	Enable Sentinel self protection
[24.05.2023 14:27:15.778] <51> Info         	query_agent_state    	Query agent state's values
[24.05.2023 14:27:15.778] <51> Info         	refresh_proxy    	Refresh the agent proxy settings
[24.05.2023 14:27:15.778] <51> Info         	reload    	Unload and then load any specific modules
[24.05.2023 14:27:15.778] <51> Info         	scan_file    	Scan a file ( -i path )
[24.05.2023 14:27:15.778] <51> Info         	scan_folder    	Scan a folder ( -i path )
[24.05.2023 14:27:15.778] <51> Info         	status    	Show the Agent's status
[24.05.2023 14:27:15.778] <51> Info         	sv_export_archive    	Export the SV archive file
[24.05.2023 14:27:15.778] <51> Info         	terminate_injected    	Configure termination of injected targets
[24.05.2023 14:27:15.778] <51> Info         	unload    	Unload Agent services
[24.05.2023 14:27:15.778] <51> Info         	unprotect    	Disable Sentinel self protection
[24.05.2023 14:27:15.809] <108> Info         No threats detected. Exit code: 1639

Second, the scan_folder option only triggers a scan asynchronously, and does not wait for the results:

Code: Select all

PS C:\Program Files\SentinelOne\Sentinel Agent 22.3.4.612> .\SentinelCtl.exe scan_folder -i "C:\Program Files\Common Fil
es\Veeam\Backup and Replication\Mount Service"
Request to start a new scan was sent successfully

Unless there are other, hidden, options, SentinelOne doesn't seem compatible through the regular, simple approach.

[chris.grady]

HI,

Below is what I did modify in the antivirusinfos.xml.
But I'm only sure about exit code 1639 ''No threats detected'
I din't find any information about the other exit codes

<Antiviruses>
<AntivirusInfo Name='SentinelOne' IsPortableSoftware='false' ExecutableFilePath='C:\Program Files\SentinelOne\Sentinel Agent 22.1.4.10010\SentinelCtl.exe' CommandLineParameters='%Path% /clean-mode=None /no-symlink' RegPath='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SentinelAgent' ServiceName='SentinelAgent' ThreatExistsRegEx='Threat\s+found' IsParallelScanAvailable='false'>
<ExitCodes>
<ExitCode Type='Success' Description='No threats detected'>1639</ExitCode>
<ExitCode Type='Error' Description='Invalid command line argument'>1</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was completed with errors'>2</ExitCode>
<ExitCode Type='Error' Description='Antivirus scan was canceled'>4</ExitCode>
<ExitCode Type='Infected' Description='Virus threat was detected'>3</ExitCode>
</ExitCodes>

Thanks for posting this! Over the course of the last year or so, have you happened to have it return anything besides 1639? Not sure if this is scheduled via Surebackup or a one-off restore, but was hoping to confirm if Veeam can respond appropriately if an error 3 is returned or something.

[Dima P.]

Hello folks,

If you need you can perform a test via EICAR test file which should be detected by any AV software for testing purposes. Thank you!

[AlexHeylin]

Did the EICAR test happen?
I see S1 got added to the default antivirusinfos.xml - but did anyone actually confirm it works first?

Case # 07138313 & https://hackerone.com/reports/2375430

(because I confirmed it doesn't)

[Dima P.]

Hello Alex,

We’ve decided to add is anyway since it was reported as stable by Veeam community folks. I am afraid Veeam support cannot help you with the question but if you have an option to raise a ticket with S1 team and ask their team to validate the parameters that would be extremely handy.

[AlexHeylin]

Hi Dimitry,

The implementation that was done is stated above not to work. That was "known" before it was implemented. The implementation doesn't follow the latest "working" syntax above, although it's clear that even that doesn't work - and that it never can work due to the async scanning.

I think it's not appropriate for Veeam to be implementing security-critical parts of their products, without testing them, and in a way which has produced false negatives.

I realise Veeam aren't going to support every AV / EDR, but IMO if you add it to the config file it should have been proved to work by SOMEONE first - even if that's not a Veeam employee (though it really should be). If you start adding community "solutions" into the product without testing them, you end up shipping a broken product - which Veeam are responsible for.

To be clear - as I said to Veeam support - I'm not asking Veeam for help to make it work - obviously they can't because it can't work. I'm reporting the security issue that this is supposed to work but produces false negatives (proven by testing in the support case). That's not just an issue for me - that's an issue for everyone using VBR and S1 who are currently being misled by the "no malware found" result which VBR shows.

On the 24th October 2023 you requested proof of an EICAR test before implementation.
Was that test result received by Veeam before implementing this into the main release code?

Thanks

Alex

[Dima P.]

Hello Alex,

All AV integrations provided by the community get the experimental tag within our What's New document. S1 is not exclusion from this rule:

Additional antivirus integration — V12.1 adds experimental out-of-the-box integration with McAfee VirusScan Enterprise and SentinelOne Endpoint Security based on the input from Veeam community experts.

To be clear - as I said to Veeam support - I'm not asking Veeam for help to make it work - obviously they can't because it can't work. I'm reporting the security issue that this is supposed to work but produces false negatives (proven by testing in the support case).

Sure, and thank you for sharing it! I'll let the team know that the provided configuration does not work correctly and should be removed from the product completely.

[AlexHeylin]

Hi Dimitry,
Unfortunately there's no tag like "experimental" in the main docs https://helpcenter.veeam.com/docs/backu ... ml?ver=120 so anyone reading them would expect that it works.

Can we get the docs updated ASAP to clearly state that this does not work and should not be used due to false negative?

Thanks
Alex

[Dima P.]

Alex,

Absolutely, already asked technical writer's team to make the needed corrections!

[AlexHeylin]

Great - thanks Dmitry!

[AlexHeylin]

SentinelOne have confirmed that their command line cannot do what VBR needs it to (hence the false negatives), and that they already have an enhancement request open for it to do so.

[Dima P.]

Hello Alex,

While we do not have a working configuration for the xml file we will go ahead and remove S1 from the setup. We will try to get in touch with S1 team via our alliance channels in order to get some updates. Thank you for you help!

[Vetsch]

Any updates from S1 side?

[Dima P.]

No updates on a proper configuration unfortunately, but we've received access to the lab with S1 installation for the vendor, so can start investigating the correct configuration parameters.

[chris.grady]

SentinelOne have confirmed that their command line cannot do what VBR needs it to (hence the false negatives), and that they already have an enhancement request open for it to do so.

Glad to hear they have it on the roadmap - Since it seems like you use S1 in your environment, could the Sentinel Cmd line utility be ran as a custom script during surebackup/securerestore? This may be not practical in certain environments, but the below document suggests the S1 CLI tool has a decent amount of customization with what it can scan and what results are returned when dealing directly through CMD prompt :

https://www.sonicwall.com/support/knowl ... 074921170/

^folder-level and entire volume(s) scan are mentioned as supported via cmd-line, and at the very least in theory the results of the scan should be logged from the main S1 console at completion (internet connection would likely need to be required or at some ports open I’d imagine). Hardly a workaround imo, but possibly better than nothing if that’s what someone invested in and doesn’t trust Defender but wants to see if, for example updated definitions from S1 catch something in an early snapshot of one of your systems..

Again, not ideal, but you could disconnect the NIC/disable network the line before running the scan in the script (then customize the return value and decide what to do from there in terms of if network needs to be re-established for the main console to receive any info from the scan and/or further testing if need be )

If that seems feasible and you have the time to test it feel free to share the results, and i will do if it’s in our lab within my access; or possibly free trial).

Thanks again for the info provided already thus far.

Sidenote - is 1639 no threats found totally bogus, or is that the only legit one that fits into the Veeam integration/XML structure?

[jherlihy]

Hey Dima,

Is there any further update on the timeline for when SecureBackup will fully support SentinelOne a/v? Is the issue still with S1 to add capabilities to their product?

No updates on a proper configuration unfortunately, but we've received access to the lab with S1 installation for the vendor, so can start investigating the correct configuration parameters.

Cheers,
John

[Egor Yakovlev]

Yes, S1 is still investigating their agent capabilities.
Maybe a good idea to push the feature request on their forums too.