Host-based backup of VMware vSphere VMs.
Post Reply
zacharylee
Novice
Posts: 8
Liked: never
Joined: Feb 14, 2022 4:03 pm
Full Name: Zachary Lee
Contact:

Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by zacharylee »

Hello everyone,

I would like to create an antivirus XML configuration file for our company's antivirus program, CrowdStrike Falcon Sensor. I notice that in the Veeam help center, the default configuration file "only" has configurations for Symantec Protection Engine, ESET, Windows Defender, and Kaspersky Security 10. https://helpcenter.veeam.com/docs/backu ... ml?ver=110

We want this so that we can enable the antivirus scan option within our SureBackup jobs.

I approached our IT SecOps team, who then approached our third-party security provider, who then in turn approached CrowdStrike with the request. It turns out that CrowdStrike has not yet supported this/does not know of the solution for any customer.

I opened a Veeam case (05273309) and the support agent informed me that Veeam does not create custom scripts of configuration files. But he suggested that I open a case here on the Veeam forums to see if other users have faced the same thing and have a solution.

Does anyone have experience with creating the antivirus XML configuration file for a non-default antivirus program such as CrowdStrike?
Andreas Neufert
VP, Product Management
Posts: 7412
Liked: 1616 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by Andreas Neufert »

When the vendor support a command line interface for scanning of files and gives back feedback on this, then it is not complicate to write this. It is usually a one liner for the command and some configuration + text for the UI when virus or no virus found.

https://helpcenter.veeam.com/docs/backu ... ml?ver=110

If CrowdStrike is interested to help you with this, let me know here and we can chat about the right contact details. There is even an option to integrate them in one of the next versions if they are willing to help with this.
zacharylee
Novice
Posts: 8
Liked: never
Joined: Feb 14, 2022 4:03 pm
Full Name: Zachary Lee
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by zacharylee »

Hi Andreas,

Many thanks for your fast response.

I have emailed our IT SecOps team with this information for them to relay to CrowdStrike. Unfortunately in the position I am in, I need to go through them, they need to go through our 3rd-party who then goes to CrowdStrike. In case this thread becomes inactive/disabled before they respond, is there a support engineer that I would be able to email once I get someone from CrowdStrike lined up after working with our internal security guys?
Andreas Neufert
VP, Product Management
Posts: 7412
Liked: 1616 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by Andreas Neufert »

Just PN me here in the forum.
zacharylee
Novice
Posts: 8
Liked: never
Joined: Feb 14, 2022 4:03 pm
Full Name: Zachary Lee
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by zacharylee »

Per CrowdStrike support:

"The EDR (Endpoint Detection and Response) solution from CrowdStrike does not work like traditional AV solutions.
Traditional AV products hook the file system via low-level drivers in order to enable the on-access scanning (OAS) of files written to and/or read from storage - interrupting those same writes as part of the process - hence the concern about file contention with other applications and potential data corruption, and thus the need for scanning exclusions in such products.

CrowdStrike on the other hand doesn’t scan files at rest. Instead it looks at executing processes for malicious activities.
"
Our company will be trying to integrate Windows Defender in conjunction with CrowdStrike as the next measure for trying to implement this feature within SureBackup.
Andreas Neufert
VP, Product Management
Posts: 7412
Liked: 1616 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by Andreas Neufert »

Andreas Neufert wrote: Feb 14, 2022 7:15 pm Just PM me here in the forum.
JZeigler
Lurker
Posts: 1
Liked: never
Joined: May 02, 2023 7:18 pm
Full Name: Jeremiah Zeigler
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by JZeigler »

I would be very interested if you have been able to make Crowdstrike work with Surebackups or if you have figured out how to make Microsoft Defender work in conjunction with Crowdstrike. Would you mind informing me on how you were able to make this happen?
zacharylee
Novice
Posts: 8
Liked: never
Joined: Feb 14, 2022 4:03 pm
Full Name: Zachary Lee
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by zacharylee »

Hi JZeigler,

In our case, as long as Windows Defender is enabled on the backup server + mount server, then Veeam will know to use Windows Defender with the default settings. We did not find a way to make CrowdStrike work with SureBackup.
rennerstefan
Veeam Software
Posts: 778
Liked: 177 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by rennerstefan »

Hi JZeigler,
zacharylee wrote: Feb 24, 2022 8:56 pm CrowdStrike on the other hand doesn’t scan files at rest. Instead it looks at executing processes for malicious activities.
This is the correct answer, to get scanner work with SecureRestore and SureBackup they would need to have a cli based scan engine available which some of the new ones don't have anymore as they don't scan files but monitor the process execution.

With that, Crowdstrike can't work today with SecureRestore.

Thanks
Stefan Renner

Veeam PMA
smannix
Novice
Posts: 4
Liked: 1 time
Joined: Mar 25, 2019 6:00 pm
Full Name: Steve Mannix
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by smannix »

Hello,

CrowdStrike now has a CLI scanner CSScanCLI.exe, but they have you rerun the command with a --status command and optional status ID (no ID returns all scan results).
They did say that the results are sent to their console.
Is there a way to get Veeam to run the status command afterward and report the results?

Thanks
rennerstefan
Veeam Software
Posts: 778
Liked: 177 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by rennerstefan »

Hi

Thanks for the update on CSScanCLI.exe.
No, currently there is no way to re-check a status with a second command after initial scan started.

I’ll take your feedback into some discussions.

Thanks
Stefan Renner

Veeam PMA
danielmx1
Novice
Posts: 7
Liked: 1 time
Joined: Mar 11, 2024 4:19 am
Full Name: Daniel Hernández
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by danielmx1 »

Hello Stefan.

Hey is there an update regarding your latest comment?

Thanks.
rennerstefan
Veeam Software
Posts: 778
Liked: 177 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by rennerstefan »

Hi Daniel,

No update as of today.
But we are regulary reviewing additional vendors to potentially add to the default XML.

Will update here once there are news.
Stefan Renner

Veeam PMA
geetansh
Influencer
Posts: 18
Liked: 4 times
Joined: Sep 26, 2024 1:25 pm
Full Name: GEETANSH GARG
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by geetansh »

Hello Stefan,

Please let us know if there's been any update on this.


Regards
Geetansh Garg
rennerstefan
Veeam Software
Posts: 778
Liked: 177 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by rennerstefan »

Hi,
no three is no update on this.
We are talking to CrowdStrike about it but at this point there is no update on wheter this would fully work.
Thanks
Stefan Renner

Veeam PMA
gurpreethanda
Lurker
Posts: 1
Liked: never
Joined: Oct 22, 2025 12:06 am
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by gurpreethanda »

This xml doesnt work. It cannot find the antivirus. please advise is this is wrong?

<Antiviruses>
<!-- Windows Defender (Updated to Versioned Path) -->
<AntivirusInfo Name="Windows Defender" IsPortableSoftware="false" ExecutableFilePath="C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exe" CommandLineParameters="-Scan -ScanType 1 -File %Path%" RegPath="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" ServiceName="WinDefend" ThreatExistsRegEx="found" IsParallelScanAvailable="false">
<ExitCodes>
<ExitCode Type="Success" Description="No threats detected">0</ExitCode>
<ExitCode Type="Infected" Description="Threats detected">1</ExitCode>
</ExitCodes>
</AntivirusInfo>
david.domask
Product Manager
Posts: 3737
Liked: 909 times
Joined: Jun 28, 2016 12:12 pm
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by david.domask »

Hi gurpreethanda,

As we natively support Windows Defender in the XML configuration file, may I ask why you want to do a custom configuration?

It will work out of box without any edits required.
David Domask | Product Management: Principal Analyst
rennerstefan
Veeam Software
Posts: 778
Liked: 177 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: Antivirus XML Configuration File for CrowmdStrike Falcon Sensor

Post by rennerstefan »

Hi
If one of the ones we have in the default XML does not work please raise a ticket and share the case ID.
At the same time I'll check with the relevant team.
Thanks
Stefan Renner

Veeam PMA
geetansh
Influencer
Posts: 18
Liked: 4 times
Joined: Sep 26, 2024 1:25 pm
Full Name: GEETANSH GARG
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by geetansh »

Hello,

Please let us know if there is any update on Crowdstrike functionality with Veeam.

Regards
Geetansh Garg
rennerstefan
Veeam Software
Posts: 778
Liked: 177 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by rennerstefan »

No, the crowdstrike one currently does not support what's needed.

Thanks
Stefan Renner

Veeam PMA
mpm@aramark
Influencer
Posts: 17
Liked: 2 times
Joined: Mar 27, 2024 12:37 pm
Full Name: Martin McDonnell
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by mpm@aramark »

I am curious. What is the end goal? Is CrowdStrike impacting backup functionality?
rin
Enthusiast
Posts: 26
Liked: 3 times
Joined: Jun 24, 2025 6:40 am
Full Name: Rintaro Tamura
Contact:

[MERGED] Questions about Secure Restore Antivirus Integration (CrowdStrike and CLI Behavior)

Post by rin »

Hi Team,

I have a couple of questions regarding the antivirus scan feature used by Secure Restore.

1. CrowdStrike support

I understand that Secure Restore can integrate with third-party antivirus software and that antivirus definitions are configured through AntivirusInfos.xml.

In my environment, I am using CrowdStrike Falcon.

Could you please clarify whether CrowdStrike Falcon is supported for Secure Restore antivirus scanning?

If CrowdStrike is not one of the predefined antivirus products in AntivirusInfos.xml, can it still be used with Secure Restore through a custom AntivirusInfos.xml configuration, provided that it supports command-line scanning?

If not, is CrowdStrike currently unsupported for Secure Restore antivirus scanning?

2. CLI integration behavior

The documentation states that the antivirus software must support a command-line interface (CLI).

Could you clarify how Veeam actually invokes the antivirus scan during Secure Restore?

My understanding is that Veeam executes the antivirus command defined in AntivirusInfos.xml and passes the mounted restore data location to the antivirus software for scanning.

Is this understanding correct?

I am not looking for implementation details or proprietary information. I would simply like to understand the expected integration method from a user perspective.

Thank you for your help.

Best regards,
Rin
vnikiforov
Veeam Software
Posts: 139
Liked: 47 times
Joined: Aug 17, 2022 5:03 am
Full Name: Vladimir Nikiforov
Location: Romania
Contact:

Re: Questions about Secure Restore Antivirus Integration (CrowdStrike and CLI Behavior)

Post by vnikiforov »

Hello, Rin,

As of today, CrowdStrike Cli is not supported due to its own architecture. It might change in the future; if so, it will be communicated separately.
Please refer the previous discussions on that topic for more details.
---
BR,
Vladimir
Veeam Software
Mildur
Product Manager
Posts: 11950
Liked: 3393 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Antivirus XML Configuration File for CrowdStrike Falcon Sensor

Post by Mildur »

Topic merged
Product Management Analyst @ Veeam Software
Post Reply

Who is online

Users browsing this forum: No registered users and 76 guests