Jump to content

Veeam Backup Error with MEP on Windows Server


GMSMRM
 Share

Recommended Posts

I have a few VMs running Windows server 2012 and 2016 that receive an error (see below) due to a locked file caused by Malewarebytes Endpoint Protection client.  This file is created by Veeam Backup and Recovery during the backup of my VM (C:\Windows\VeeamVssSupport\VeeamGuestHelper.exe) but becomes locked and will not allow Veeam to delete the file when the backup process is completed. Then from that point on all backups fail. rebooting the VM is the only way to get MEP to release the file so I can delete it and, backup will work once again. 

In attempt to fix the issue I logged into my cloud account and attempted to create exclusions to stop MEP from scanning this file but nothing worked.

I tried:

- File by path: *VeeamGuestHelper.exe*

- Folder by Path: C:\Windows\VeeamVssSupport\*

- File by Path: C:\Windows\VeeamVssSupport\VeeamGuestHelper.exe

None of these resolved the issue. I did uninstall MEP on the server instances and Veeam backup worked perfectly after. As soon as I installed MEP again, within a day or two the issue occurred again. Strange part is I have MEP installed on 20 windows servers, all backed up with the same Veeam Backup software. but, I only seem to have issues on 3 servers repeatedly. Which makes it even that much more difficult to troubleshoot.

Any ideas to try? How can I tell if the exclusions are being sent to the host server?


 

Quote

7/28/2020 1:51:15 AM :: Processing GMS Intranet Error: Cannot upload guest agent's files to the administrative share  [\\GMS-INTRANET.GMSMRM.local\ADMIN$].
Cannot copy file. Source file: [C:\Program Files (x86)\Veeam\Backup Transport\GuestInteraction\VSS\VeeamGuestHelpers\VeeamGuestHelper_X64.exe]. Target file: [\\myserver.mydomain.local\ADMIN$\VeeamVssSupport\VeeamGuestHelper.exe].
CopyFile() failed.
Win32 error:Access is denied.
 Code: 5  


 

Link to post
Share on other sites

Greetings,

I'm sorry you're experiencing trouble with the software, but we will do our best to help.  First, I would just like to make sure that we know which client software you are running on your servers.  Is it the same Endpoint Protection client you run on non-server systems, or is it the version specifically for servers described here?

Additionally, what happens if you disable the Ransomware Protection component, does the issue go away?  If not, does disabling any of the other protection modules alleviate the issue?

Please let us know.

Thanks

Link to post
Share on other sites

Hi,

Thank you for your response. I am running endpoint client v. 1.2.0.793 on the servers. At the time of purchase for these licenses I was not aware there was a different protection available specifically for servers. If that is not what I am licensed for then I will want to get them changed over. to answer your question, if I uninstall EP then the problem does go away. With my current setup, I do not see a place where I can disable the Ransomware competent. More to your other point. How can I tell which version of EP (desktop or server) that I currently have?

Link to post
Share on other sites

  • 1 year later...
  • 1 month later...

Hi all

where did this issue end ?

just installed the Cloud version on some Windows server 2012 R2 and on, the DC Ctrl ends up with this error with veeam backup. Reboot only option to get it ti work. 
anyone have a solution for an Old issue resurfaced ?

Link to post
Share on other sites

On 2/22/2022 at 9:05 AM, DPintaric said:

Hi all,

any solution here? We have the same issue, appeared a few weeks ago the first time. Before several months no issues. Seems like a new issue. Of course, we have clients and servers licensed.

Regards,

Denis

Hi Denis

Have you found a solution ?

E

Link to post
Share on other sites

10 hours ago, Porthos said:

It's probably best that you open a Support ticket so that someone from our team can assist you directly.

Business Support
https://service.malwarebytes.com/hc/en-us/requests/new

Thank you

If there is a solution, why not post it, so users are able to fix the issue ?

/E

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

12 hours ago, ElektroAdmin said:

Hi Denis

Have you found a solution ?

E

Hi ElektroAdmin,

the solution was to replace three files, the support engineer provided me. But it's a manual procedure. I'm not sure if the solution was implemented finally in the product and released as an official new build, or if the fix is still not in the current build.

- Denis

Link to post
Share on other sites

13 minutes ago, DPintaric said:

Hi ElektroAdmin,

the solution was to replace three files, the support engineer provided me. But it's a manual procedure. I'm not sure if the solution was implemented finally in the product and released as an official new build, or if the fix is still not in the current build.

- Denis

Thx. 
do you know which files was replaced ?

and what version are you running 

i’ve just created a case and waiting but i’m curious ?

Link to post
Share on other sites

55 minutes ago, ElektroAdmin said:

Thx. 
do you know which files was replaced ?

and what version are you running 

i’ve just created a case and waiting but i’m curious ?

Hi,

the problematic module is Anti-Ransomware (Behavior Protection).

The replaced files were:

ArwSdkShim.dll (version: 3.1.0.502)
Arwlib.dll (version: 3.1.0.970)
ArwControllerImpl.dll (version: 3.1.0.666)

I got them from support and those files are from Anti-Ransomware standalone, which doesn't show the issue.

But I have to figure out what the current state is. You can check the file version from the most current version with the version numbers above.

- Denis

Link to post
Share on other sites

1 hour ago, DPintaric said:

Hi,

the problematic module is Anti-Ransomware (Behavior Protection).

The replaced files were:

ArwSdkShim.dll (version: 3.1.0.502)
Arwlib.dll (version: 3.1.0.970)
ArwControllerImpl.dll (version: 3.1.0.666)

I got them from support and those files are from Anti-Ransomware standalone, which doesn't show the issue.

But I have to figure out what the current state is. You can check the file version from the most current version with the version numbers above.

- Denis

Thanks Denis,

Awesome Info.
I got these version of the files.
ArwControllerImpl.dll - 3.1.0.501
arwlib.dll - 3.1.0.970
ArwSdkShim.dll - 3.1.0.666

Which looks like it's not fixed in the latest version of the Cloud Agent for Windows.
I will try to switch off the Anti-Ransomeware feature, to see if actually works, then I can ask malwarebytes to provide that file.

thanks again.

/E

Link to post
Share on other sites

3 hours ago, ElektroAdmin said:

Thanks Denis,

Awesome Info.
I got these version of the files.
ArwControllerImpl.dll - 3.1.0.501
arwlib.dll - 3.1.0.970
ArwSdkShim.dll - 3.1.0.666

Which looks like it's not fixed in the latest version of the Cloud Agent for Windows.
I will try to switch off the Anti-Ransomeware feature, to see if actually works, then I can ask malwarebytes to provide that file.

thanks again.

/E

THIS IS NOT THE SOLUTION - but works temporary

Under policies edit group where the server is located, edit "Protection Settings" and disable "Behavior Protection" then the server's backup is stabilized and my error is gone.
Function: Behavior Protection
Description: Detects and blocks malware based on behavior analysis

So, from my point of view, it seems that it is "only" ArwSdkShim.dll (version: 3.1.0.502) that has a difference compared to your setup Denis.
This, of course, I will take on to Malwarebytes in my case ID.

Thanks Again Denis.

/ElektroAdmin

 

 

Link to post
Share on other sites

32 minutes ago, AdvancedSetup said:

It looks like this DLL change might not have been the fix. I highly suggest any business customers please open a support ticket so that we're able to assist you directly.

 

Business Support
https://service.malwarebytes.com/hc/en-us/requests/new

 

Thank you

 

Thank you for informing us. Well, very bad and sad that the issue is still there and not fixed yet. Very unsatisfying for business customers and partners, like us!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.