Crowdstrike keeps flagging bareos-fd
1,034 views
Skip to first unread message
bro...@gmail.com
Dec 21, 2021, 3:07:47 AM12/21/21
to bareos-users
Hi,
I have a Windows Server 2012 server that runs bareos-fd to back up some folders from it.
On the same machine I have the Crowdstrike Agent (malware/antivirus) that marks bareos as malware because it tries to remove a VSS copy.
Sample output
Execution Details
DETECT TIME
20-12-2021 21:09:32
HOSTNAME
ROCJxxx
HOST TYPE
Server
USER NAME
xxx
SEVERITY
Medium
OBJECTIVE
Follow Through
TACTIC & TECHNIQUE
TECHNIQUE ID
T1490
IOA NAME
VolumeShadowSnapshotDeleted
IOA DESCRIPTION
A process attempted to delete a Volume Shadow Snapshot.
GROUPING TAGS
- None
LOCAL PROCESS ID
1336
COMMAND LINE
"C:\Program Files\Bareos\bareos-fd.exe" /service
EXECUTABLE MD5
dd3d2f016176f79979fbce80e8413e8b
RUN PERIOD
START TIME
19-12-2021 01:13:05
END TIME
-
DURATION
Currently Running
Fileset:
FileSet {
Name = "xxx"
Enable VSS = yes
Include {
Options {
Signature = MD5
Drive Type = fixed
IgnoreCase = yes
WildFile = "[A-Z]:/pagefile.sys"
WildDir = "[A-Z]:/RECYCLER"
WildDir = "[A-Z]:/$RECYCLE.BIN"
WildDir = "[A-Z]:/System Volume Information"
Exclude = yes
}
File = D:/xxx
File = D:/xxx
File = D:/xxx
File = D:/xxx
File = D:/conta
File = D:/HR
File = D:/MSAVE
}
}
Name = "xxx"
Enable VSS = yes
Include {
Options {
Signature = MD5
Drive Type = fixed
IgnoreCase = yes
WildFile = "[A-Z]:/pagefile.sys"
WildDir = "[A-Z]:/RECYCLER"
WildDir = "[A-Z]:/$RECYCLE.BIN"
WildDir = "[A-Z]:/System Volume Information"
Exclude = yes
}
File = D:/xxx
File = D:/xxx
File = D:/xxx
File = D:/xxx
File = D:/conta
File = D:/HR
File = D:/MSAVE
}
}
A process attempted to delete a Volume Shadow Snapshot.
Any ideas why bareos-fd tries to remove vss ?
Thank you
Claus E
Dec 21, 2021, 3:15:56 AM12/21/21
to bareos...@googlegroups.com
Hi,
On 12/21/21 9:07 AM, bro...@gmail.com wrote:
> I have a Windows Server 2012 server that runs bareos-fd to back up some
> folders from it.
>
> On the same machine I have the Crowdstrike Agent (malware/antivirus)
> that marks bareos as malware because it tries to remove a VSS copy.
jobs.
--
Med venlig hilsen
Claus Eriksen
Systemadministrator
Lynero ApS - Professionel hosting til virksomheder
telefon: +45 7020 1272
web: www.lynero.dk
On 12/21/21 9:07 AM, bro...@gmail.com wrote:
> I have a Windows Server 2012 server that runs bareos-fd to back up some
> folders from it.
>
> On the same machine I have the Crowdstrike Agent (malware/antivirus)
> that marks bareos as malware because it tries to remove a VSS copy.
> Fileset:
>
> FileSet {
> Name = "xxx"
> Enable VSS = yes
> Include {
> Options {
> Signature = MD5
> Drive Type = fixed
> IgnoreCase = yes
> WildFile = "[A-Z]:/pagefile.sys"
> WildDir = "[A-Z]:/RECYCLER"
> WildDir = "[A-Z]:/$RECYCLE.BIN"
> WildDir = "[A-Z]:/System Volume Information"
> Exclude = yes
> }
> File = D:/xxx
> File = D:/xxx
> File = D:/xxx
> File = D:/xxx
> File = D:/conta
> File = D:/HR
> File = D:/MSAVE
> }
> }
>
>
> *A process attempted to delete a Volume Shadow Snapshot.*
>
> FileSet {
> Name = "xxx"
> Enable VSS = yes
> Include {
> Options {
> Signature = MD5
> Drive Type = fixed
> IgnoreCase = yes
> WildFile = "[A-Z]:/pagefile.sys"
> WildDir = "[A-Z]:/RECYCLER"
> WildDir = "[A-Z]:/$RECYCLE.BIN"
> WildDir = "[A-Z]:/System Volume Information"
> Exclude = yes
> }
> File = D:/xxx
> File = D:/xxx
> File = D:/xxx
> File = D:/xxx
> File = D:/conta
> File = D:/HR
> File = D:/MSAVE
> }
> }
>
>
>
> Any ideas why bareos-fd tries to remove vss ?
You are using VSS in your fileset - and bareos has to clean-up after the
> Any ideas why bareos-fd tries to remove vss ?
jobs.
--
Med venlig hilsen
Claus Eriksen
Systemadministrator
Lynero ApS - Professionel hosting til virksomheder
telefon: +45 7020 1272
web: www.lynero.dk
Laurence Horrocks-Barlow
Dec 21, 2021, 4:16:59 AM12/21/21
to bro...@gmail.com, bareos-users
Hi,
This is because you're using/configured a vss enabled job.
"Enable VSS = yes"
Thus BareOS will interact with Windows VSS, it's creating and then deleting it's own VSS, you're anti-malware should be able to white list this.
-- Lauz
This is because you're using/configured a vss enabled job.
"Enable VSS = yes"
Thus BareOS will interact with Windows VSS, it's creating and then deleting it's own VSS, you're anti-malware should be able to white list this.
-- Lauz
Reply all
Reply to author
Forward
0 new messages