Why Backup Servers Require Security Exclusions
Veritas NetBackup master and media servers perform high-volume data operations that often trigger behavioral alerts in EDR platforms. SentinelOne Singularity monitors every file read, write, and process execution to identify malicious patterns. When a backup job starts, NetBackup opens thousands of files per second to catalog and move data. This activity looks like a potential ransomware attack or data exfiltration attempt to a strict security agent.
Real-time scanning causes significant latency during the deduplication and encryption phases of a backup. If SentinelOne inspects every data block being written to a disk pool, the backup window will expand beyond its allotted time. This latency often results in NetBackup Status 41 (network connection timed out) or Status 42 (network read failed) errors. These failures occur because the backup processes cannot maintain the required data rate.
Security engineers must balance protection with operational stability. Blanket disabling of security agents on backup infrastructure is a significant risk. Instead, targeted exclusions allow NetBackup to function at full speed while SentinelOne continues to monitor for unauthorized access to the underlying operating system. This guide focuses on the specific paths and processes that require exclusion based on Veritas and SentinelOne best practices.
Navigating to Exclusions in the SentinelOne Console
To manage exclusions, you must have an Account or Site admin role within the SentinelOne Management Console. Policy changes should be applied at the Site or Group level to ensure they only affect backup infrastructure. Do not apply these broadly to workstations as it could create security gaps on end-user devices.
Step 1: Open the Sentinel Menu
Log in to your SentinelOne Management Console instance. Click on the Sentinels icon in the primary sidebar navigation. This icon typically looks like a magnifying glass or a computer monitor depending on your specific version.
Step 2: Access Policy Settings
Select the Settings tab from the top navigation bar within the Sentinels page. If you are managing multiple sites, ensure you have selected the correct site from the global scope picker at the top of the screen. Changes made here will affect all agents assigned to the active policy.
Step 3: Configure the Exclusion List
Click on the Exclusions tab located under the Settings header. You will see a list of existing exclusions organized by type. Click the New Exclusion button to begin adding NetBackup specific entries. You will be prompted to choose an exclusion mode, such as Suppress Alerts, Interoperability, or Performance.
NetBackup Path and Process Exclusions
The following lists include the default installation paths and critical binaries for Veritas NetBackup. Adjust these paths if your organization uses custom drive letters for NetBackup catalogs or binaries. It is critical to use the Interoperability mode for processes to ensure SentinelOne does not interfere with memory management.
Directory and Folder Exclusions
Excluding the entire NetBackup installation directory is often necessary on media servers handling heavy I/O. Set these as Path exclusions with the subfolder option enabled.
- C:\Program Files\Veritas\NetBackup\ (Main application directory)
- C:\Program Files\Veritas\NetBackupDB\ (Relational database and transaction logs)
- C:\Program Files\Veritas\Volmgr\ (Volume manager for tape drives)
- C:\Program Files\Veritas<a href="/glossary/text-diff" class="glossary-term-link" title="A comparison showing line-by-line or character-by-character changes between two versions of text.">Patch\ (Temporary update files)
- E:\NetBackup\Catalog\ (The location of your image metadata catalog)
- F:\MSDP\ (The storage path for your Media Server Deduplication Pool)
Process and Executable Exclusions
Adding these executables as process exclusions prevents SentinelOne from monitoring the memory space of the backup engine. This is the most effective way to resolve high CPU utilization issues. Use the Interoperability mode for these entries.
- bpbkar32.exe (The backup and archive process)
- bpcd.exe (The client daemon)
- bptm.exe (The tape management process)
- bpdm.exe (The disk management process)
- nbjm.exe (The job manager process)
- nbpemu.exe (The policy execution manager process)
- vnetd.exe (The network service daemon)
- nbdbms_srv.exe (The database server process)
Verifying the Exclusions on the Endpoint
After applying the policy in the console, you must verify that the agent on the backup server has received the update. This prevents situations where a network issue delays policy propagation. Verification can be done through the command line or the local agent UI.
Using the SentinelCtl Utility
Open an administrative PowerShell or Command Prompt on the Windows backup server. Navigate to the SentinelOne installation folder, which is typically C:\Program Files\SentinelOne\Sentinel Agent. Run the following command to check the active configuration.
.\sentinelctl.exe config -list
Look for the exclusions section in the output. This will display all paths currently being ignored by the engine. Ensure the NetBackup paths you added in the console appear exactly as they were entered. If they are missing, run the .\sentinelctl.exe control -u command to force a policy update.
Checking the Agent UI
If the local agent UI is enabled, right click the SentinelOne icon in the system tray. Select Show Monitor. Navigate to the policy or configuration tab. The UI should indicate that the agent is up to date with the latest timestamp from the Management Console.
Common Pitfalls and Troubleshooting
A common error is using the wrong exclusion mode. Suppress Alerts only hides notifications but does not stop the scanning engine from slowing down the process. You must use Performance mode for file paths and Interoperability mode for processes to see a measurable difference in backup speed.
Another mistake is neglecting to exclude temporary directories. NetBackup uses the Windows system TEMP folder for many operations during the catalog backup process. If your system drive is experiencing high I/O wait times during backups, consider moving the NetBackup temporary path to a dedicated drive and adding that drive to the exclusion list.
If exclusions appear to be ignored, verify that there are no conflicting policies. A policy at the Group level will override a policy at the Site level. Check the inheritance settings in the console to ensure your backup servers are actually member of the group where the exclusions were applied. You can also use the Test Exclusion feature in newer versions of SentinelOne to verify if a specific path is still being monitored.
Reference Documentation
For the most current list of binaries and recommended security settings, refer to the official SentinelOne and Veritas support portals. Veritas maintains an article titled "Security software and NetBackup" that is updated with every major version release. SentinelOne provides specific interoperability guides for database and backup applications within the technical documentation section of their resources site. Visit https://www.sentinelone.com/resources/ for official white papers on securing high performance server environments.