In recent days, antivirus software has been installed on our server environment.
I get logs about copying files from these processors in the machines:
C: \ Windows \ System32 \ wbem \ WmiPrvSE.exe
c: \ windows \ system32 \ vds.exe
C: \ Program Files \ Veritas \ Backup Exec \ RAWS \ beremote.exe
c: \ program files \ veritas \ backup exec \ raws \ beremote.exe
c: \ windows \ system32 \ wbem \ wmiprvse.exe
I wanted to ask if the software uses these processors? Or should I worry about a break-in?
I must note that the logs come from other servers in the network ..
On these servers of course ran a backup.
I would appreciate your help..
Not sure I fully understand what you're asking, however please refer to the following technote regarding the list of anti-virus exclusions to configure for Backup Exec:
We would also recommend you upgrade to the latest version of BE (currently 21.4) as since 20.4 Backup Exec has had a new feature called “Ransomware Resilience”.which provides an extra layer of security by blocking any non-Veritas process from writing to a backup disk or deduplication storage location. More info here:
if this is what you were referring to when you mentioned a break-in.
The third section of that technote does refer to remote clients (for processes) though I would be tempted to use the same exclusions as for the Backup Exec server - but only the files/folders/processes where they actually exist on the remote server, if that makes sense.