NOD32 interfering with Volum Shadow Copy backups!

Discussion in 'ESET NOD32 Antivirus' started by mlynchit, Dec 16, 2010.

Thread Status:
Not open for further replies.
  1. mlynchit

    mlynchit Registered Member

    Joined:
    Nov 20, 2010
    Posts:
    21
    NOD32 on my Server 2003 is scanning the Volume shadow copyt as it is backed up.

    For eaxample, I would like to EXCLUDE "\Device\HarddiskVolumeShadowCopy*"

    However, as stated in an earlier thread (https://www.wilderssecurity.com/showthread.php?t=255934), this is not possible:
    "Hello,

    The path you tried to add: \Device\HarddiskVolumeShadowCopy* is not a valid path. It needs to be an actual file path."

    Can ESET provide an explination please as to why NOD scans Volume Shadow Copy without the ability to exclude them?! Especially on a Server operating system??

    I am also very curious why this issue is not more common!!

    For example, all my default exclusions ( Exchange, SYSVOL, my Spam Quarantine fodler...) are completley ignored during a Volume Shadow Copy backup.

    There must be a solution?
     
  2. tony_m

    tony_m Eset Staff Account

    Joined:
    Nov 22, 2010
    Posts:
    239
    Yes, actually it is not possible to use this kind of syntax with our software when creating an exclusion, it is not possible to add exclusions with kernel path.

    AFAIK, developers are planing to add this feature to some new version, but there isn't any time frame for it.

    Hope this helps.
     
  3. mlynchit

    mlynchit Registered Member

    Joined:
    Nov 20, 2010
    Posts:
    21
    OK

    The guy on the phone in queensland said "Of course you can use wild cards"

    Anyway, I tried it and it didn't work.

    So perhaps there is a scriptable method (bat, vbs... com, activeX... asp??) to disable AV for the duration of the backup.

    Any hints much appreciated.
     
  4. tony_m

    tony_m Eset Staff Account

    Joined:
    Nov 22, 2010
    Posts:
    239
    Just for clarification, wildcards are accepted. Make sure you have read this. Also, see the program's help documentation for additional information about how exclusions work.

    Actually, it is not possible to use this kind of syntax with our software ("\Device\HarddiskVolumeShadowCopy*"). Maybe one way would be to set the SYTEM VARIABLES for those and use them in exclusion, it's the only way it may work.
     
  5. mlynchit

    mlynchit Registered Member

    Joined:
    Nov 20, 2010
    Posts:
    21
    Thanks Tony

    Really not helpful. What 'system variables' for 'those' what?

    'Not possible to use this kind of syntax'. Why? The antivirus finds infected files on the path '\Device\HarddiskVolumeShadowCopy121\Assp\'.
    Why can't a wild card be put in place?

    Not to mention lack of support for %systemroot% in the exclusion lists.

    Is there any ESET support available where I can find actual customer care?
     
  6. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    %systemroot%, %programfiles% etc. have all been requested many times. Some aren't available to ESET as the process runs as SYSTEM, but %systemroot% should be.

    One of the best improvements ESET could make is to improve the flexibility for inclusion and exclusion - environment variables, true wildcards with subfolders, excluding processes, etc.

    Doesn't help you much I know, but at least you're not alone....


    Jim
     
  7. mlynchit

    mlynchit Registered Member

    Joined:
    Nov 20, 2010
    Posts:
    21
    Thanks Jim

    Good to know :)
     
  8. mlynchit

    mlynchit Registered Member

    Joined:
    Nov 20, 2010
    Posts:
    21
    http://kb.eset.com/esetkb/index?pag...earch&viewlocale=en_US&searchid=1293110172932
    "For instance, database and backup software should be excluded from the Real-time and On-demand scanners."

    How is this not a maor issue for NAV running on a server?
    I've just tested that the issue occurs also in ntbackup.
    When I perform a backup, I want to do a backup. Not a full system scan!

    The documentation tells me I should exclude backup software, so the question is: How do I exclude backup software?
     
  9. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Until NOD32 allows exclusion of processes......I don't think you can.
     
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Is your Volume Shadow Copy Service started and running ?
    Mine is not since I do not use the service.
     

    Attached Files:

  11. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    I think that one starts on demand?
     
  12. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    You mean as required, Jim ? If I used the service I would probably want mine on auto assuming I had enough RAM, if I'm going to be doing regularily scheduled back-ups, it probably would, since mince is stopped and I did not tweak this, the service status would need to be started at least.

     
  13. mlynchit

    mlynchit Registered Member

    Joined:
    Nov 20, 2010
    Posts:
    21
    On demand seems to be how it operates. I checked a few servers and they are all set to 'Manual'.

    My VSS is fine, and if VSS was the issue then I don't think my backup software would have gotten very far.

    I'm not sure where you're going with these considerations. But thanks anyway
     
  14. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    On demand, Siljaline. There's a few of Windows Services which are set to Manual, and when you try to start them you get an error along the lines of "Windows will start this when it needs it". I have a feeling that VSS is one of them.

    Might be a red herring, of course.



    Jim
     
  15. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Agreed, Jim - if the service doesn't need to be started unless it is needed then it would be on demand. I concur.

    Regards,

     
  16. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    We use BackupExec here along with the BackupExec Agent installed on each of our servers. If I remember correctly, BackupExec starts the VSS service as part of it's backup process and then later the VSS stops itself when it's idle.
     
  17. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233
    Running XP SP3 and I did check to see how VSS is set and I recall that I had decided to change the setting to "automatic" because I thought a backup program might need to have it running all the time.

    I find that with one program I have running in real time (Memeo - which came with a Seagate USB drive), VSS is not started.

    OTOH, I also have Macrium Reflect installed and when that runs, VSS is started.

    It seems clear that VSS doesn't start on its own, but is started by whatever software needs it. It doesn't seem to matter that it is set to "automatic."
     
Thread Status:
Not open for further replies.