NOD32 crashes server when Retrospect backup runs

Discussion in 'NOD32 version 2 Forum' started by phancock, Sep 1, 2006.

Thread Status:
Not open for further replies.
  1. phancock

    phancock Registered Member

    Joined:
    Aug 21, 2006
    Posts:
    4
    I have a NAS running Windows 2003 Appliance Edition that I just installed NOD32 on.

    I have never had problems with this server

    I have a retrospect backup server on my network which does nightly backups on this server.

    When I came in this morning it had recovered from a serious crash related to a driver issue?

    The backups ran at the exact time of this issue.

    I read an older thread with people have this same issue, something to do with a setup.log that gets scanned over and over again and relates to drivers

    I need to know how to fix this, I use and reccomend NOD32 but this would be a show stopper if I can't run my backups on servers that run NOD32

    Please advise
     
  2. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Re: NOD32 crashes server when Retospect backup runs

    Hello,

    Have you tried excluding the directories containing the EMC Retrospect files from being scanned? If so, did this make any difference?

    Regards,

    Aryeh Goretsky
     
  3. phancock

    phancock Registered Member

    Joined:
    Aug 21, 2006
    Posts:
    4
    Re: NOD32 crashes server when Retospect backup runs

    I will try this tonight and post back in the morning
     
  4. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    Re: NOD32 crashes server when Retospect backup runs

    Before NOD32 I was using another AV and didn't have any problems with Retrospect. After removing the other AV and installing NOD32 I noticed svchost.exe using all resources. The system only became responsive after terminating svchost.exe. The error is recorded in the application event log:

    Event Type: Error
    Event Source: VSS
    Event Category: None
    Event ID: 8193
    Date: 24-9-2006
    Time: 20:25:11
    User: N/A
    Computer: XXXXX
    Description:
    Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007041d.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 42 55 45 43 58 4d 4c 43 BUECXMLC
    0008: 33 35 33 32 00 00 00 00 3532....
    0010: 42 55 45 43 58 4d 4c 43 BUECXMLC
    0018: 33 34 39 34 00 00 00 00 3494....

    Event Type: Error
    Event Source: Retrospect
    Event Category: None
    Event ID: 1
    Date: 24-9-2006
    Time: 20:25:11
    User: XXXXX\Backup Administrator
    Computer: XXXXX
    Description:
    Can't use Open File Backup option for Local Disk (C:), error -1017 (insufficient permissions)

    The problem isn't with permissions, because the backup user has administrative permissions and the problem only occurs with NOD32.

    Currently I don't have time to troubleshoot this issue (disable open file backup or exclusions and report it to NOD32 and EMC) so I replaced NOD32 with another AV that doesn't have issues with Retrospect.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: NOD32 crashes server when Retospect backup runs

    Perhaps AMON is set to scan all files whereas the other AV wasn't?
     
  6. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    Re: NOD32 crashes server when Retospect backup runs

    IIRC AMON was configured according to BlackSpear's settings and the default is to scan all files. I'm going to switch AV again very soon. The problem can be reproduced very easy so I can use a default NOD32 installation and see what happens under different settings. If it works I'll stick with NOD32 ;)
     
  7. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    Re: NOD32 crashes server when Retospect backup runs

    Re-installed NOD32 and the issue with Retrospect could be reproduced. In AMON I disabled the option "Scan all files" and after one day of testing I couldn't reproduce the issue.

    So it seems that NOD32 has issues with Retrospect and Open File backup (VSS) when the option "Scan all files" in AMON is enabled and the option "Back up open files" is enabled in Retrospect. FYI: I did not test disabling "Back up open files" with "Scan all files" enabled.

    I'll continue testing Retrospect with "Scan all files" disabled and report back to this topic if there are any new issues.
     
  8. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Re: NOD32 crashes server when Retospect backup runs

    This sounds right.

    The default configuration provided by ESET is set for a very high level of detection and compatibility whereas Blackspears settings are tuned for maximum detection and automation.
    After you untick 'Scan all files' the default list of extensions to be scanned already includes all known types of executable extensions.

    In case you wish to read more there is a list of Microsoft documents here that discuss implementing anti-virus in a server environment.

    Cheers :)
     
  9. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    Re: NOD32 crashes server when Retospect backup runs

    My concern was that this list wasn't updated. Every year you some new extensions that can carry malware like e.g. skins, jpg or pdf. According to AMON help "The set of file extensions to be scanned is constantly being updated and you are provided with regular updates as needed."


    Thanks for the pointer, but I'm using Retrospect on Windows XP :D I recently purchased Retrospect because I couldn't find any other backup software that meets my requirements.
     
Thread Status:
Not open for further replies.