NOD Blocking Windows Backup

Discussion in 'ESET NOD32 Antivirus' started by Capp, Feb 4, 2008.

Thread Status:
Not open for further replies.
  1. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I am using 3.0.551.0 up-to-date.

    I have scheduled to backup my outlook .pst file evernight to a network storage device.

    NOD keeps killing it stating this:

    2/3/2008 11:05:49 PM Real-time file system protection file probably unknown NewHeur_PE virus unable to clean NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\ntbackup.exe.

    This happens every single night.

    I have even gone in and added the .exe to the exclusions list. If I manually run it, it works just fine, but the scheduled task gets killed every night.

    Any ideas?
     
  2. ASpace

    ASpace Guest

    samples {at} eset {dot} sk

    Report the false positive and send them the file.

    My computers has no such file C:\WINDOWS\system32\ntbackup.exe
    However , this feauture might not be installed here
     
  3. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    c:\windows\system32\ntbackup.exe exists here.

    NOD32 doesn't detect it as a virus. However i'm using 3.0.621.0 up-to-date....
     
  4. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
    please install letest build v621 and send this file to eset support
    i have xpsp3 but not any warning
     
  5. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Updated to newest version and samplet sent. We'll see tomorrow morning if it still happens.

    I knew to submit it, but I didn't know the newest build was out just yet.

    thanks for the heads-up :)
     
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Correct me if I am wrong but the issue is your PST file not ntbackup.exe, which is what the Event warning is saying.

    For instance, I attempted to open a saved eicar file with notepad with the below results.
    It would not be notepad.exe that I would be concerned about in regards to exclusions, it would be that particular eicar txt file. Same as for your PST file IMMHO.

    Here's one also where I performed a ntbackup on the eicar file....
    Excluding ntbackup or notepad is not the answer I would be looking for, it's what ever file was being accessed, either by notepad or ntbackup and in your case it's your nightly PST file.

    By chance is your quarantine now plus one PST file ?

    Also, is there possible malware in that PST file that Nod does not care for ?

    Bubba
     
  7. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Good call Bubba. Didn't even think of that.

    It is my business email so I dont get any viruses or malcious email. I never even get any spam (crosses fingers) lol.

    Quite possible it just doesn't like something in there though. I'll try to add it to the exclusion list as well and see what happens.

    Thanks :)
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    If you make sure your context menu settings are fairly tight, in particular Advanced heuristics. Then via Windows Explorer attempt to do a context menu scan against that PST file, what happens ?
     
  9. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I essentially have the "Blackspear" settings. I did a context-menu scan of the single file and the entire folder and the only message I got at all was "Unable to open extend.dat", which isn't even a file I try to backup nightly.

    As I mentioned above, if I manually use the XP Backup wizard to back up the file/folder 1 time, it works just fine. Its just when the scheduled task tries to activate is when it buggers up.
     
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hmmm, when you did it manually, were you sending it to this network storage device also ?

    Is this PST file password protected ?

    Will definetly watch this thread for further results but that's about the extent of my thoughts for now :blink:
     
  11. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I tried scanning it just sitting there, I tried copying it to network server, I tried manually using the backup.exe and all of them returned 0 results.

    The PST is not password protected.

    I can only reproduce this when it is done via the scheduler.

    This is why I came here to see if anybody else had run into this before, because I had not. I have exhausted everything I know to check as well and can't figure out why its being deleted upon backup. :)

    We'll just wait to see what happens.
     
Thread Status:
Not open for further replies.