VSS errors with endpoint

I get the error below in my application event log several times a minute at times if the endpoint features are enabled. It's a conflict with macrium reflect.

To reproduce:
Install free trial of macrium: Macrium Software | Macrium Reflect Free Trial Be sure to enable image guardian on the install.
Enable all the standard protections in the elastic defend policy.

Thanks!

Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
. This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {cbd80fb4-1a49-467b-84fc-adcaae97be0c}

Hi @yak990,

Thanks for reaching out.

First thing, it doesn't sound like the same issue, but I want to let you know that 8.6.0 fixes an issue with Cluster Shared Volume VSS Writer generating Event ID 1544, however that is reproducible without Macrium. If Macrium is required to reproduce the problem in your environment, or you are already running 8.6.0, then you are likely encountering a different issue.

Now on to Macrium:

From their website:

Macrium Image Guardian ensures that backup files created through the Reflect engine are always safe from unauthorized modifications

It sounds like Macrium is blocking access to Volume Shadow Copies. That will conflict with Endpoint's rollback self-healing feature, which maintains a handful of shadow copies. The first thing I would look for is a way to add C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe as an exception to Macrium. If that's not possible, you can try disabling rollback by setting windows.advanced.diagnostic.rollback_telemetry_enabled to false in advanced policy.

If you are a Platinum or Enterprise user and are using the rollback self-healing feature, you will need to disable it to avoid this error. You can do that by clearing the windows.advanced.alerts.rollback.self_healing.enabled field, restoring its default-disabled state.

Please let us know how things go.

Regards,
Gabriel

Thanks for the explanation. I ended up disabling image guardian, because you can't create exceptions for it. The idea is to keep everything out of the backup files, including antivirus software.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.