NOD32 interfering with Volum Shadow Copy backups!

NOD32 on my Server 2003 is scanning the Volume shadow copyt as it is backed up.

For eaxample, I would like to EXCLUDE "\Device\HarddiskVolumeShadowCopy*"

However, as stated in an earlier thread (https://www.wilderssecurity.com/showthread.php?t=255934), this is not possible:
"Hello,

The path you tried to add: \Device\HarddiskVolumeShadowCopy* is not a valid path. It needs to be an actual file path."

Can ESET provide an explination please as to why NOD scans Volume Shadow Copy without the ability to exclude them?! Especially on a Server operating system??

I am also very curious why this issue is not more common!!

For example, all my default exclusions ( Exchange, SYSVOL, my Spam Quarantine fodler...) are completley ignored during a Volume Shadow Copy backup.

There must be a solution?

 

Yes, actually it is not possible to use this kind of syntax with our software when creating an exclusion, it is not possible to add exclusions with kernel path.

AFAIK, developers are planing to add this feature to some new version, but there isn't any time frame for it.

Hope this helps.

 

OK

The guy on the phone in queensland said "Of course you can use wild cards"

Anyway, I tried it and it didn't work.

So perhaps there is a scriptable method (bat, vbs... com, activeX... asp??) to disable AV for the duration of the backup.

Any hints much appreciated.

 

Just for clarification, wildcards are accepted. Make sure you have read this. Also, see the program's help documentation for additional information about how exclusions work.

Actually, it is not possible to use this kind of syntax with our software ("\Device\HarddiskVolumeShadowCopy*"). Maybe one way would be to set the SYTEM VARIABLES for those and use them in exclusion, it's the only way it may work.

 

Thanks Tony

Really not helpful. What 'system variables' for 'those' what?

'Not possible to use this kind of syntax'. Why? The antivirus finds infected files on the path '\Device\HarddiskVolumeShadowCopy121\Assp\'.
Why can't a wild card be put in place?

Not to mention lack of support for %systemroot% in the exclusion lists.

Is there any ESET support available where I can find actual customer care?

 

%systemroot%, %programfiles% etc. have all been requested many times. Some aren't available to ESET as the process runs as SYSTEM, but %systemroot% should be.

One of the best improvements ESET could make is to improve the flexibility for inclusion and exclusion - environment variables, true wildcards with subfolders, excluding processes, etc.

Doesn't help you much I know, but at least you're not alone....


Jim

 

Thanks Jim

Good to know

 

http://kb.eset.com/esetkb/index?pag...earch&viewlocale=en_US&searchid=1293110172932
"For instance, database and backup software should be excluded from the Real-time and On-demand scanners."

How is this not a maor issue for NAV running on a server?
I've just tested that the issue occurs also in ntbackup.
When I perform a backup, I want to do a backup. Not a full system scan!

The documentation tells me I should exclude backup software, so the question is: How do I exclude backup software?

 

Until NOD32 allows exclusion of processes......I don't think you can.

 

Is your Volume Shadow Copy Service started and running ?
Mine is not since I do not use the service.

 

I think that one starts on demand?

 

You mean as required, Jim ? If I used the service I would probably want mine on auto assuming I had enough RAM, if I'm going to be doing regularily scheduled back-ups, it probably would, since mince is stopped and I did not tweak this, the service status would need to be started at least.

 

On demand seems to be how it operates. I checked a few servers and they are all set to 'Manual'.

My VSS is fine, and if VSS was the issue then I don't think my backup software would have gotten very far.

I'm not sure where you're going with these considerations. But thanks anyway

 

On demand, Siljaline. There's a few of Windows Services which are set to Manual, and when you try to start them you get an error along the lines of "Windows will start this when it needs it". I have a feeling that VSS is one of them.

Might be a red herring, of course.



Jim

 

Agreed, Jim - if the service doesn't need to be started unless it is needed then it would be on demand. I concur.

Regards,

 

We use BackupExec here along with the BackupExec Agent installed on each of our servers. If I remember correctly, BackupExec starts the VSS service as part of it's backup process and then later the VSS stops itself when it's idle.

 

Running XP SP3 and I did check to see how VSS is set and I recall that I had decided to change the setting to "automatic" because I thought a backup program might need to have it running all the time.

I find that with one program I have running in real time (Memeo - which came with a Seagate USB drive), VSS is not started.

OTOH, I also have Macrium Reflect installed and when that runs, VSS is started.

It seems clear that VSS doesn't start on its own, but is started by whatever software needs it. It doesn't seem to matter that it is set to "automatic."