Veeam Backup Error with MEP on Windows Server

[GMSMRM]

I have a few VMs running Windows server 2012 and 2016 that receive an error (see below) due to a locked file caused by Malewarebytes Endpoint Protection client.  This file is created by Veeam Backup and Recovery during the backup of my VM (C:\Windows\VeeamVssSupport\VeeamGuestHelper.exe) but becomes locked and will not allow Veeam to delete the file when the backup process is completed. Then from that point on all backups fail. rebooting the VM is the only way to get MEP to release the file so I can delete it and, backup will work once again. 

In attempt to fix the issue I logged into my cloud account and attempted to create exclusions to stop MEP from scanning this file but nothing worked.

I tried:

- File by path: *VeeamGuestHelper.exe*

- Folder by Path: C:\Windows\VeeamVssSupport\*

- File by Path: C:\Windows\VeeamVssSupport\VeeamGuestHelper.exe

None of these resolved the issue. I did uninstall MEP on the server instances and Veeam backup worked perfectly after. As soon as I installed MEP again, within a day or two the issue occurred again. Strange part is I have MEP installed on 20 windows servers, all backed up with the same Veeam Backup software. but, I only seem to have issues on 3 servers repeatedly. Which makes it even that much more difficult to troubleshoot.

Any ideas to try? How can I tell if the exclusions are being sent to the host server?

 

Quote

7/28/2020 1:51:15 AM :: Processing GMS Intranet Error: Cannot upload guest agent's files to the administrative share  [\\GMS-INTRANET.GMSMRM.local\ADMIN$].
Cannot copy file. Source file: [C:\Program Files (x86)\Veeam\Backup Transport\GuestInteraction\VSS\VeeamGuestHelpers\VeeamGuestHelper_X64.exe]. Target file: [\\myserver.mydomain.local\ADMIN$\VeeamVssSupport\VeeamGuestHelper.exe].
CopyFile() failed.
Win32 error:Access is denied.
 Code: 5  

 

[exile360]

Greetings,

I'm sorry you're experiencing trouble with the software, but we will do our best to help.  First, I would just like to make sure that we know which client software you are running on your servers.  Is it the same Endpoint Protection client you run on non-server systems, or is it the version specifically for servers described here?

Additionally, what happens if you disable the Ransomware Protection component, does the issue go away?  If not, does disabling any of the other protection modules alleviate the issue?

Please let us know.

Thanks

[CHMOD_777]

Hello @GMSMRM

 

I currently have a support ticket with you regarding this issue but haven't heard back from you.  I'll send you another follow-up on the case so that we can discuss further.

 

Warm Regards,

[GMSMRM]

Hi,

Thank you for your response. I am running endpoint client v. 1.2.0.793 on the servers. At the time of purchase for these licenses I was not aware there was a different protection available specifically for servers. If that is not what I am licensed for then I will want to get them changed over. to answer your question, if I uninstall EP then the problem does go away. With my current setup, I do not see a place where I can disable the Ransomware competent. More to your other point. How can I tell which version of EP (desktop or server) that I currently have?

[DPintaric]

Hi all,

any solution here? We have the same issue, appeared a few weeks ago the first time. Before several months no issues. Seems like a new issue. Of course, we have clients and servers licensed.

Regards,

Denis

[AdvancedSetup]

Hello @DPintaric

It's probably best that you open a Support ticket so that someone from our team can assist you directly.

Business Support
https://service.malwarebytes.com/hc/en-us/requests/new

Thank you

 

Edited April 25, 2022 by AdvancedSetup
Updated information

[eswendsen]

I believe this is the issue we are experiencing as well.

I have a ticket open, 3758792.

[ElektroAdmin]

Hi all

where did this issue end ?

just installed the Cloud version on some Windows server 2012 R2 and on, the DC Ctrl ends up with this error with veeam backup. Reboot only option to get it ti work. 
anyone have a solution for an Old issue resurfaced ?

[ElektroAdmin]

On 2/22/2022 at 9:05 AM, DPintaric said:

Hi all,

any solution here? We have the same issue, appeared a few weeks ago the first time. Before several months no issues. Seems like a new issue. Of course, we have clients and servers licensed.

Regards,

Denis

Hi Denis

Have you found a solution ?

E

[Porthos]

21 hours ago, ElektroAdmin said:

Have you found a solution ?

It's probably best that you open a Support ticket so that someone from our team can assist you directly.

Business Support
https://service.malwarebytes.com/hc/en-us/requests/new

Thank you

Edited April 25, 2022 by AdvancedSetup
Updated information

[ElektroAdmin]

10 hours ago, Porthos said:

It's probably best that you open a Support ticket so that someone from our team can assist you directly.

Business Support
https://service.malwarebytes.com/hc/en-us/requests/new

Thank you

If there is a solution, why not post it, so users are able to fix the issue ?

/E

Edited April 25, 2022 by AdvancedSetup
Updated information

[AdvancedSetup]

If it was a known issue we'd be more than happy to post a fix. In some cases, the cause is due to various different reasons. Thus the need to work one on one with you to find and resolve the issue.

Thank you

 

 

[ElektroAdmin]

Okay, I understand and Will create a case. 

[DPintaric]

12 hours ago, ElektroAdmin said:

Hi Denis

Have you found a solution ?

E

Hi ElektroAdmin,

the solution was to replace three files, the support engineer provided me. But it's a manual procedure. I'm not sure if the solution was implemented finally in the product and released as an official new build, or if the fix is still not in the current build.

- Denis

[ElektroAdmin]

13 minutes ago, DPintaric said:

Hi ElektroAdmin,

the solution was to replace three files, the support engineer provided me. But it's a manual procedure. I'm not sure if the solution was implemented finally in the product and released as an official new build, or if the fix is still not in the current build.

- Denis

Thx. 
do you know which files was replaced ?

and what version are you running 

i’ve just created a case and waiting but i’m curious ?

[DPintaric]

55 minutes ago, ElektroAdmin said:

Thx. 
do you know which files was replaced ?

and what version are you running 

i’ve just created a case and waiting but i’m curious ?

Hi,

the problematic module is Anti-Ransomware (Behavior Protection).

The replaced files were:

ArwSdkShim.dll (version: 3.1.0.502)
Arwlib.dll (version: 3.1.0.970)
ArwControllerImpl.dll (version: 3.1.0.666)

I got them from support and those files are from Anti-Ransomware standalone, which doesn't show the issue.

But I have to figure out what the current state is. You can check the file version from the most current version with the version numbers above.

- Denis

[ElektroAdmin]

1 hour ago, DPintaric said:

Hi,

the problematic module is Anti-Ransomware (Behavior Protection).

The replaced files were:

ArwSdkShim.dll (version: 3.1.0.502)
Arwlib.dll (version: 3.1.0.970)
ArwControllerImpl.dll (version: 3.1.0.666)

I got them from support and those files are from Anti-Ransomware standalone, which doesn't show the issue.

But I have to figure out what the current state is. You can check the file version from the most current version with the version numbers above.

- Denis

Thanks Denis,

Awesome Info.
I got these version of the files.
ArwControllerImpl.dll - 3.1.0.501
arwlib.dll - 3.1.0.970
ArwSdkShim.dll - 3.1.0.666

Which looks like it's not fixed in the latest version of the Cloud Agent for Windows.
I will try to switch off the Anti-Ransomeware feature, to see if actually works, then I can ask malwarebytes to provide that file.

thanks again.

/E

[ElektroAdmin]

3 hours ago, ElektroAdmin said:

Thanks Denis,

Awesome Info.
I got these version of the files.
ArwControllerImpl.dll - 3.1.0.501
arwlib.dll - 3.1.0.970
ArwSdkShim.dll - 3.1.0.666

Which looks like it's not fixed in the latest version of the Cloud Agent for Windows.
I will try to switch off the Anti-Ransomeware feature, to see if actually works, then I can ask malwarebytes to provide that file.

thanks again.

/E

THIS IS NOT THE SOLUTION - but works temporary

Under policies edit group where the server is located, edit "Protection Settings" and disable "Behavior Protection" then the server's backup is stabilized and my error is gone.
Function: Behavior Protection
Description: Detects and blocks malware based on behavior analysis

So, from my point of view, it seems that it is "only" ArwSdkShim.dll (version: 3.1.0.502) that has a difference compared to your setup Denis.
This, of course, I will take on to Malwarebytes in my case ID.

Thanks Again Denis.

/ElektroAdmin

 

 

[AdvancedSetup]

It looks like this DLL change might not have been the fix. I highly suggest any business customers please open a support ticket so that we're able to assist you directly.

 

Business Support
https://service.malwarebytes.com/hc/en-us/requests/new

 

Thank you

 

[DPintaric]

32 minutes ago, AdvancedSetup said:

It looks like this DLL change might not have been the fix. I highly suggest any business customers please open a support ticket so that we're able to assist you directly.

 

Business Support
https://service.malwarebytes.com/hc/en-us/requests/new

 

Thank you

 

Thank you for informing us. Well, very bad and sad that the issue is still there and not fixed yet. Very unsatisfying for business customers and partners, like us!