Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

VSS Errors since CC Installation

FelixFelix Newbie ✭
edited January 2021 in Capture Client

Hi @ all!

Since we installed the Capture Client on a Terminalserver, the Server hangs multiple times a day, sometimes multiple times an hour

Source: VSS, EventIDs: 12297 and 12341

Text: something like "VSS Service error E/A writes cant be flushed"

Terminal Server, Virtual Machine, Windows Server 2016, Capture Client Version 3.1.1.311, SentinelOne Agent Version 4.1.5.97


Anyone has faced that problem before?


Thanks a lot!

//Felix

Category: Capture Client
Reply
Tagged:

Answers

  • PatrikPatrik Newbie ✭
    edited January 2021

    Hi Felix

    we have the same issue on several PC's. No solution yet.

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited January 2021

    Hi guys,

    I probably should not chime into this discussion, cause I'am somewhat of a Windows noob. The S1 Support Portal lists something that might be related:

    The SentinelOne Agent uses Windows VSS infrastructure as part of the rollback mitigation flow. This might cause interoperability issues with other backup solutions that use VSS. 

    In Windows Agents 2.7 and higher, you can exclude a specific VSS Writer from use by SentinelOne for rollback. 

    Note: If you exclude a VSS Writer, the Writer's data is not protected by the SentinelOne Agent.

    You must have the GUID of each VSS Writer.

    To get the GUID of the VSS Writers:

    On an endpoint, open the Command Prompt with Run as administrator.

    Run: vssadmin list shadows

    In the output, find: Type: ClientAccessibleWriters

    These are third-party VSS writers. (ApplicationRollback is SentinelOne. Do not touch these.)

    Copy the value of Contents of shadow copy set ID.

    To configure an exclusion for one or more specific VSS Writers:

    On an endpoint, open the Command Prompt with Run as administrator.

    Go to the folder that holds SentinelCtl.exe: cd C:\Program Files\SentinelOne\Sentinel Agent *

    Run: sentinelctl config -p agent.vssConfig.excludedVssWriters -v <guid1>, <guid2>,.....<guidn>

    Reload the Agent: 


    sentinelctl unload -a
    sentinelctl load -a
    

    --Michael@BWC

  • SuroopMCSuroopMC SonicWall Employee

    @Felix and @Patrik - I would not recommend making any command line changes on your endpoints without blessings from our Support team. Please ask for your case to be escalated to an SME - there is a newer S1 client that will require a reinstall of the Capture Client and the S1 Agents. But it is known to fix VSS errors and conflicts with Backup applications. Please try that before trying advanced settings like the above with VSS.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @SuroopMC

    having a new version with fixes is always the preferred way to go, I agreee on that.

    While you brought this up, where is this new S1 client you're talking about, latest offering through CC is 4.1.5.97, which is roughly 24 releases behind S1 native (latest GA 4.6.2.144)? In all fairness, that means no new release of the Threat Protection Engine for 6 Months.

    VSS related 
    Event viewer error: Event Viewer / Windows/ Application ID 517
    Error code '0x8078014D'
    
    resolved in 4.5.2, 4.6.1 and 4.7.1
    

    I can only imagine what the challenges are to implement new versions, but SNWL should pick up the pace, a Next-Gen Endpoint Protection solution is no longer Next Gen when not profitting from all capabilities (through S1) given.

    As always, just my € .02

    --Michael@BWC

  • SuroopMCSuroopMC SonicWall Employee

    @BWC - thank you for your candor as always. It's always good to have customers who provide critical feedback. Keeps us humble.

    The version drift was caused by other priority projects on our side which resulted in the release of CC 3.5 and the ability for MSSPs to manage global policies across their customers. That required a significant overhaul of our integration framework.

    The good news is that there aren't many significant protection updates with the version drift. And we will be fully up to speed with the latest agent very soon. After which we will be lock-step.

    The newest agent is a limited release 4.1.6.118 which we aren't offering via the console just yet because we have observed issues to upgrade from 4.1.5.97 to 4.1.6.118. That's why I recommended reaching out to support for it.

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited January 2021

    Hi @SuroopMC

    thanks as always and hopefully the thread creator can have his issue resolved.

    I don't wanna hijack this topic, but "The good news is that there aren't many significant protection updates with the version drift." isn't something I would sign and probably S1 gets d'accord. But I'll leave it there to avoid another post of mine gets erased.

    Just saying:

    The Windows Agent now detects the elevation of privilege vulnerability CVE 2020-1472, also known as Zerologon.

    Stay safe.

    --Michael@BWC

  • skesarwaskesarwa SonicWall Employee

    The S1 version 4.1.6.118 is now available on https://captureclient.sonicwall.com. Please follow KB :- https://www.sonicwall.com/support/knowledge-base/known-vss-conflict-with-s1-agent-4-1-5-97/210211070620687/

Sign In or Register to comment.