Why These Exclusions are Necessary
SentinelOne Singularity uses a deep monitoring agent that observes all file system and network activity in real time. Veeam Backup and Replication performs intensive disk I/O when reading virtual machine data or writing to a backup repository. If the security agent attempts to inspect every data block during a backup window, the resulting resource contention causes massive CPU spikes.
Backup throughput often falls by 50 percent or more when these systems conflict. You may also see job failures with errors like "The process cannot access the file because it is being used by another process." These exclusions allow Veeam to move data at line speed while maintaining the security posture of the rest of the operating system.
Where to Add Exclusions in the SentinelOne Management Console
Step 1: Access the Policy Menu
Log in to your SentinelOne Management Console. Click on the Sentinels icon in the main navigation sidebar on the left. This panel manages your endpoints, groups, and policies.
Step 2: Select the Correct Scope
Select the Policy tab from the top navigation bar. Choose the appropriate scope for your backup servers. You can apply these changes at the Global level, the Account level, or a specific Site. We recommend creating a dedicated Group for your backup infrastructure to apply these settings specifically.
Step 3: Create New Exclusions
Navigate to the Exclusions sub-tab within the Policy section. Click the New Exclusion button. You will be prompted to choose between Path, Hash, or Process exclusions. You must create separate entries for each type mentioned in the following sections.
The Recommended Exclusion List
Folder and Path Exclusions
Add a Path exclusion for the main Veeam installation directory. This is typically C:\Program Files\Veeam on the backup server and any managed proxies. Include the C:\ProgramData\Veeam folder, which stores critical job metadata and logs.
Exclude your backup repository volumes. If your backups are stored on a local drive like D: or E:, add that entire volume or the specific folder containing your .VBK and .VIB files. For servers using the Mount Server role for file-level restores, exclude the C:\VeeamFLR folder to prevent recovery failures.
If you use a scale-out backup repository or a WAN Accelerator, exclude the cache directories. These paths experience extremely high write volumes that can trigger behavioral alerts. If your configuration database is local, exclude the Microsoft SQL Server or PostgreSQL data folders as well.
Process and Executable Exclusions
Create Process exclusions for the core Veeam executables. These are the most critical settings for performance. Add Veeam.Backup.Service.exe and Veeam.Backup.Manager.exe to the list.
Include the VeeamAgent.exe process on all proxies and repositories. This process handles the actual data transport and is often the primary source of performance bottlenecks. Add Veeam.Backup.ProxyService.exe and VeeamTransportSvc.exe to ensure all backup components can communicate without interference.
When adding these processes, select the Interoperability mode in the SentinelOne configuration. This mode is specifically designed for high-performance applications that conflict with security drivers. It prevents the agent from injecting its monitoring code into the backup processes.
Verification and Testing
Check Policy Status
Go back to the Sentinels list in the SentinelOne console. Look at the Policy Status column for your backup servers. Ensure it shows as "Applied" or "Success," which indicates the agent has received the new exclusion rules.
Monitor Performance
Run a manual backup job and check the processing rate. Compare this to historical data from before the exclusions were added. You should see a noticeable increase in throughput and a decrease in CPU utilization on the backup server.
Review Agent Logs
Check the SentinelOne agent logs on the local machine at C:\ProgramData\Sentinel\logs. Ensure there are no recent entries indicating that Veeam processes are being blocked or throttled. You can also use PowerShell to check the service status by running Get-Service -Name SentinelAgent to ensure the system is still protected.
Common Pitfalls and Troubleshooting
A common mistake is using the "Detection Suppressed" mode instead of "Interoperability" or "Performance." Suppression only hides the alerts in the console while the agent continues to monitor and slow down the process. Always use the Interoperability mode for backup executables to resolve performance issues.
Verify that there are no typos in your file paths. SentinelOne is literal with its strings. Ensure that you have accounted for different drive letters if your proxies or repositories are configured differently than the main backup server. If an exclusion is not being honored, check if there is a higher-level policy at the Account or Global level that is overriding your Site settings.
Do not use broad wildcards like the asterisk (*) unless it is absolutely necessary. Be as specific as possible with your paths to ensure you do not leave the server vulnerable to other threats. Only exclude the folders and processes that are directly involved in the backup and recovery workflow.
Authoritative Documentation and Support
Always consult the latest documentation from both vendors to stay current with new software versions. SentinelOne provides detailed technical briefs and policy recommendations at https://www.sentinelone.com/resources/. These resources include updated process names for new versions of the security agent.
Veeam maintains a comprehensive list of required antivirus exclusions in their knowledge base under article KB1999. We recommend cross-referencing this article during your regular security audits. If you need assistance optimizing your backup performance or auditing your security policies, contact the InventiveHQ technical team for professional support.