NOD Blocking Windows Backup

[Capp]

I am using 3.0.551.0 up-to-date.

I have scheduled to backup my outlook .pst file evernight to a network storage device.

NOD keeps killing it stating this:

2/3/2008 11:05:49 PM Real-time file system protection file probably unknown NewHeur_PE virus unable to clean NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\ntbackup.exe.

This happens every single night.

I have even gone in and added the .exe to the exclusions list. If I manually run it, it works just fine, but the scheduled task gets killed every night.

Any ideas?

samples {at} eset {dot} sk

Report the false positive and send them the file.

My computers has no such file C:\WINDOWS\system32\ntbackup.exe
However , this feauture might not be installed here

[PaulB2005]

c:\windows\system32\ntbackup.exe exists here.

NOD32 doesn't detect it as a virus. However i'm using 3.0.621.0 up-to-date....

[proactivelover]

please install letest build v621 and send this file to eset support
i have xpsp3 but not any warning

[Capp]

Updated to newest version and samplet sent. We'll see tomorrow morning if it still happens.

I knew to submit it, but I didn't know the newest build was out just yet.

thanks for the heads-up

[Bubba]

Quote:

Originally Posted by Capp

Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\ntbackup.exe

Correct me if I am wrong but the issue is your PST file not ntbackup.exe, which is what the Event warning is saying.

For instance, I attempted to open a saved eicar file with notepad with the below results.

Quote:

Real-time file system protection file C:\Yb\download_unscanned\eicar.com.txt Event occurred during an attempt to access the file by the application: C:\WINNT\system32\notepad.exe.

It would not be notepad.exe that I would be concerned about in regards to exclusions, it would be that particular eicar txt file. Same as for your PST file IMMHO.

Here's one also where I performed a ntbackup on the eicar file....

Quote:

Real-time file system protection file C:\Yb\download_unscanned\eicar.com.txt Eicar test file cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINNT\system32\NTBACKUP.EXE

Excluding ntbackup or notepad is not the answer I would be looking for, it's what ever file was being accessed, either by notepad or ntbackup and in your case it's your nightly PST file.

By chance is your quarantine now plus one PST file ?

Also, is there possible malware in that PST file that Nod does not care for ?

Bubba

[Capp]

Good call Bubba. Didn't even think of that.

It is my business email so I dont get any viruses or malcious email. I never even get any spam (crosses fingers) lol.

Quite possible it just doesn't like something in there though. I'll try to add it to the exclusion list as well and see what happens.

Thanks

[Bubba]

If you make sure your context menu settings are fairly tight, in particular Advanced heuristics. Then via Windows Explorer attempt to do a context menu scan against that PST file, what happens ?

[Capp]

I essentially have the "Blackspear" settings. I did a context-menu scan of the single file and the entire folder and the only message I got at all was "Unable to open extend.dat", which isn't even a file I try to backup nightly.

As I mentioned above, if I manually use the XP Backup wizard to back up the file/folder 1 time, it works just fine. Its just when the scheduled task tries to activate is when it buggers up.

[Bubba]

Quote:

Originally Posted by Capp

if I manually use the XP Backup wizard to back up the file/folder 1 time, it works just fine. Its just when the scheduled task tries to activate is when it buggers up.

Hmmm, when you did it manually, were you sending it to this network storage device also ?

Is this PST file password protected ?

Will definetly watch this thread for further results but that's about the extent of my thoughts for now

[Capp]

I tried scanning it just sitting there, I tried copying it to network server, I tried manually using the backup.exe and all of them returned 0 results.

The PST is not password protected.

I can only reproduce this when it is done via the scheduler.

This is why I came here to see if anybody else had run into this before, because I had not. I have exhausted everything I know to check as well and can't figure out why its being deleted upon backup.

We'll just wait to see what happens.