Why is Endpoint creating snap shots on Windows Server 2016/19? This started with 8.5.1+ and has seriously messed up some of my legacy backups that relay on the windows snap shots manager to process. I've had several fail as I'm having a conflict with times as Endpoint is creating without a schedule. This looks really suspicious...
Shadow copy has been created.
User SID: S-1-5-18
User name: NT AUTHORITY\SYSTEM
Process ID: 0x000000000000095c
Process image name: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe
What is enabled for endpoint:
Malware -Prevent
Ransomware -Prevent
Memory threat -Prevent
Malicious behavior -Prevent
On a policy that is a mirror of the same and Endpoint running 8.5.1 but in Detect only with Ransomware, Memory threat and Malicious behavior and with Malware in Prevent its not creating the snaps.
I was wondering why my storage space whet up nearly 500Gb over a few days after the update and noticed that several hundred servers now have local snaps all starting just after the endpoint agent was updated. It does remove them after 8 or size but this was not an expected behavior that was accounted for. Downgrading the agent the snaps no longer happen upgrade and snaps happen again.
In fact, it is a very suspicious behavior considering that, when searching the documentation, I did not find any information about this type of behavior. Even because shadow copy is a windows feature. Have you updated the integrations for this agent? Were you able to examine the logs coming from that agent?
I'm sorry this is causing you trouble. These snapshots are created as a part of Endpoint's self healing feature on Windows. There is a way for you to turn this off and to prevent problem issue you're having. I opened a documentation update issue to document how to do that and rather than restate it here I'll just link to it. I hope that helps.
One way to track it down is to check when the last snap shot was created on the machine and then narrow to a 5 second window. Not the quickest but the amount of noise you have to get through you'll end up seeing Process image name: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe and it will have a few behind it and you'll see it was the that creates the snaps.
It has been confirmed by Daniel as it is part of Endpoint.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.