Hi, I have a Windows Server 2012 server that runs bareos-fd to back up some folders from it.
On the same machine I have the Crowdstrike Agent (malware/antivirus) that marks bareos as malware because it tries to remove a VSS copy. Sample output Execution Details DETECT TIME 20-12-2021 21:09:32 HOSTNAME ROCJxxx HOST TYPE Server USER NAME xxx SEVERITY Medium OBJECTIVE Follow Through TACTIC & TECHNIQUE Impact <https://falcon.crowdstrike.com/documentation/detections/tactic/impact-ta0040> via Inhibit System Recovery <https://falcon.crowdstrike.com/documentation/detections/technique/inhibit-system-recovery-t1490> TECHNIQUE ID T1490 IOA NAME VolumeShadowSnapshotDeleted IOA DESCRIPTION A process attempted to delete a Volume Shadow Snapshot. GROUPING TAGS - None LOCAL PROCESS ID 1336 COMMAND LINE "C:\Program Files\Bareos\bareos-fd.exe" /service FILE PATH \Device\HarddiskVolume2\Program Files\Bareos\bareos-fd.exe <https://www.google.com/search?q=%22bareos-fd.exe%22> EXECUTABLE SHA256 b3bc13e2b94474d70f22358130399d109a5f76cdc424b7aa902435d36234114e GLOBAL PREVALENCE Common LOCAL PREVALENCE Unique IOC MANAGEMENT ACTIONNone <https://falcon.crowdstrike.com/investigate/events/en-US/app/eam2/investigate__hash?form.filename_tok=*&form.cmdline=*&form.computer=*&form.user_tok=*&form.customer_tok=*&earliest=-24h%40h&latest=now&form.exfilename_tok=NONE&form.excmd_tok=NONE&form.hash=b3bc13e2b94474d70f22358130399d109a5f76cdc424b7aa902435d36234114e> <https://falcon.crowdstrike.com/search/?term=_all:~%27b3bc13e2b94474d70f22358130399d109a5f76cdc424b7aa902435d36234114e%27> <https://www.hybrid-analysis.com/sample/b3bc13e2b94474d70f22358130399d109a5f76cdc424b7aa902435d36234114e> <https://www.virustotal.com/en/file/b3bc13e2b94474d70f22358130399d109a5f76cdc424b7aa902435d36234114e/analysis/> <https://www.google.com/search?q=b3bc13e2b94474d70f22358130399d109a5f76cdc424b7aa902435d36234114e> EXECUTABLE MD5 dd3d2f016176f79979fbce80e8413e8b RUN PERIOD START TIME 19-12-2021 01:13:05 END TIME - DURATION Currently Running Fileset: FileSet { Name = "xxx" Enable VSS = yes Include { Options { Signature = MD5 Drive Type = fixed IgnoreCase = yes WildFile = "[A-Z]:/pagefile.sys" WildDir = "[A-Z]:/RECYCLER" WildDir = "[A-Z]:/$RECYCLE.BIN" WildDir = "[A-Z]:/System Volume Information" Exclude = yes } File = D:/xxx File = D:/xxx File = D:/xxx File = D:/xxx File = D:/conta File = D:/HR File = D:/MSAVE } } *A process attempted to delete a Volume Shadow Snapshot.* Any ideas why bareos-fd tries to remove vss ? Thank you -- You received this message because you are subscribed to the Google Groups "bareos-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to bareos-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bareos-users/c9857efe-e1be-4c57-b497-eca7600bbe01n%40googlegroups.com.
