Elastic Endpoint - Questionable snaps causing problems

PublicName · January 6, 2023, 12:27am

Why is Endpoint creating snap shots on Windows Server 2016/19? This started with 8.5.1+ and has seriously messed up some of my legacy backups that relay on the windows snap shots manager to process. I've had several fail as I'm having a conflict with times as Endpoint is creating without a schedule. This looks really suspicious...

Shadow copy has been created.

User SID: S-1-5-18
User name: NT AUTHORITY\SYSTEM
Process ID: 0x000000000000095c
Process image name: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe

What is enabled for endpoint:
Malware -Prevent
Ransomware -Prevent
Memory threat -Prevent
Malicious behavior -Prevent

On a policy that is a mirror of the same and Endpoint running 8.5.1 but in Detect only with Ransomware, Memory threat and Malicious behavior and with Malware in Prevent its not creating the snaps.

I was wondering why my storage space whet up nearly 500Gb over a few days after the update and noticed that several hundred servers now have local snaps all starting just after the endpoint agent was updated. It does remove them after 8 or size but this was not an expected behavior that was accounted for. Downgrading the agent the snaps no longer happen upgrade and snaps happen again.

wsouza · January 8, 2023, 1:40pm

In fact, it is a very suspicious behavior considering that, when searching the documentation, I did not find any information about this type of behavior. Even because shadow copy is a windows feature. Have you updated the integrations for this agent? Were you able to examine the logs coming from that agent?

ferullo · January 10, 2023, 7:44pm

I'm sorry this is causing you trouble. These snapshots are created as a part of Endpoint's self healing feature on Windows. There is a way for you to turn this off and to prevent problem issue you're having. I opened a documentation update issue to document how to do that and rather than restate it here I'll just link to it. I hope that helps.

PublicName · January 12, 2023, 8:48pm

One way to track it down is to check when the last snap shot was created on the machine and then narrow to a 5 second window. Not the quickest but the amount of noise you have to get through you'll end up seeing Process image name: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe and it will have a few behind it and you'll see it was the that creates the snaps.

It has been confirmed by Daniel as it is part of Endpoint.