12-15-2021 05:03 AM
Hello everyone,
In recent days, antivirus software has been installed on our server environment.
I get logs about copying files from these processors in the machines:
C: \ Windows \ System32 \ wbem \ WmiPrvSE.exe
c: \ windows \ system32 \ vds.exe
C: \ Program Files \ Veritas \ Backup Exec \ RAWS \ beremote.exe
c: \ program files \ veritas \ backup exec \ raws \ beremote.exe
c: \ windows \ system32 \ wbem \ wmiprvse.exe
I wanted to ask if the software uses these processors? Or should I worry about a break-in?
I must note that the logs come from other servers in the network ..
On these servers of course ran a backup.
I would appreciate your help..
12-15-2021 05:13 AM
Not sure I fully understand what you're asking, however please refer to the following technote regarding the list of anti-virus exclusions to configure for Backup Exec:
https://www.veritas.com/support/en_US/article.100046324
We would also recommend you upgrade to the latest version of BE (currently 21.4) as since 20.4 Backup Exec has had a new feature called “Ransomware Resilience”.which provides an extra layer of security by blocking any non-Veritas process from writing to a backup disk or deduplication storage location. More info here:
https://www.veritas.com/support/en_US/article.100049101
if this is what you were referring to when you mentioned a break-in.
12-16-2021 02:16 AM
Hi thanks for the answer,
What you sent me is a List of Anti-virus exclusions to configure for Backup Exec, and I need to know what the guest server exceptions are in the backup.
12-16-2021 02:30 AM
The third section of that technote does refer to remote clients (for processes) though I would be tempted to use the same exclusions as for the Backup Exec server - but only the files/folders/processes where they actually exist on the remote server, if that makes sense.