Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Failed Backups and TM's Real time scan

0 views
Skip to first unread message

BillV

unread,
Aug 26, 2004, 9:29:09 AM8/26/04
to
SBS Team,

Please let me know if anyone has had the same problem with backups failing.
I've posted previously with this problem and have checked the newsgroups for
others with the same trouble but have yet to find any similar posts.

The backup fails when it encounters a "bad' .eml file in the quarantine
folder and "skips" it. I thought it may be related to VSS so several weeks
ago I moved the quarantine folder from c:\program files\trend\smcf\quarantine
to d:\program files\trend\smcf\quarantine. Location change had no affect.

Even though the file is skipped and the system reports back a "Failed"
backup, the backup is actually complete and valid. I've been told to ignore
this error in previous posts. Is this just a incorrect alert that MS has yet
to correct?

Backup log posted below.

8/25/2004 9:00 PM
-------------------------------
Date: 8/25/2004
Time: 9:00 PM
User: SYSTEM
-------------------------------

Backup Runner started.
NTMS session started successfully.
EnumerateNtmsObject(NTMS_LIBRARY) succeeded.
Will enumerate on 3 media libraries found.
GetNtmsObjectInformation(NtmsLibraryInfo) succeeded.
GetNtmsObjectInformation(NtmsLibraryInfo) succeeded.
Found an enabled library.
InventoryNtmsLibrary(NtmsInventoryOmid) succeeded.
Identify Media completed
EnumerateNtmsObject(NTMS_MEDIA_TYPE) succeeded.
Will enumerate on 0 media types found.
GetNtmsObjectInformation(NtmsLibraryInfo) succeeded.
Found an enabled library.
InventoryNtmsLibrary(NtmsInventoryOmid) succeeded.
Identify Media completed
EnumerateNtmsObject(NTMS_MEDIA_TYPE) succeeded.
Will enumerate on 1 media types found.
GetNtmsObjectInformation(NtmsPhysicalMediaInfo) succeeded.
GetNtmsObjectInformation(NtmsMediaTypeInfo) succeeded.
Found a tape media type in the library (miniQIC).
Launching NTBackup: ntbackup.exe backup "@C:\Program Files\Microsoft Windows
Small Business Server\Backup\Small Business Backup Script.bks" /d "SBS Backup
created on 8/25/2004 at 9:00 PM" /v:yes /r:no /rs:no /hc:on /m normal /j
"Small Business Server Backup Job" /l:s /p "miniQIC" /UM
NTBACKUP LOG FILE: C:\Documents and Settings\SBS Backup User\Local
Settings\Application Data\Microsoft\Windows NT\NTBackup\data\backup05.log
=====================<BEGIN NTBACKUP LOG FILE>=====================
Backup Status
Operation: Backup
Active backup destination: miniQIC
Media name: "Media created 8/25/2004 at 9:01 PM"

Backup (via shadow copy) of "C: "
Backup set #1 on media #1
Backup description: "SBS Backup created on 8/25/2004 at 9:00 PM"
Media name: "Media created 8/25/2004 at 9:01 PM"

Backup Type: Normal

Backup started on 8/25/2004 at 9:06 PM.
Backup completed on 8/25/2004 at 10:38 PM.
Directories: 3762
Files: 45716
Bytes: 8,060,503,537
Time: 1 hour, 32 minutes, and 22 seconds
Backup (via shadow copy) of "D: "
Backup set #2 on media #1
Backup description: "SBS Backup created on 8/25/2004 at 9:00 PM"
Media name: "Media created 8/25/2004 at 9:01 PM"

Backup Type: Normal

Backup started on 8/25/2004 at 10:38 PM.
Warning: Unable to open "D:\Program
Files\Trend\SMCF\Quarantine\2004-08-25\09\24\Message412c93214fe6.original_eml_" - skipped.
Reason: Access is denied.


Backup completed on 8/25/2004 at 11:05 PM.
Directories: 974
Files: 12264
Bytes: 2,568,814,475
Time: 26 minutes and 36 seconds
Backup of "RAYLON1\Microsoft Information Store\First Storage Group"
Backup set #3 on media #1
Backup description: "SBS Backup created on 8/25/2004 at 9:00 PM"
Media name: "Media created 8/25/2004 at 9:01 PM"

Backup Type: Normal

Backup started on 8/25/2004 at 11:05 PM.
Backup completed on 8/25/2004 at 11:17 PM.
Directories: 4
Files: 6
Bytes: 1,342,350,224
Time: 12 minutes and 31 seconds
Backup (via shadow copy) of "System State"
Backup set #4 on media #1
Backup description: "SBS Backup created on 8/25/2004 at 9:00 PM"
Media name: "Media created 8/25/2004 at 9:01 PM"

Backup Type: Copy

Backup started on 8/25/2004 at 11:17 PM.
Backup completed on 8/25/2004 at 11:22 PM.
Directories: 257
Files: 2628
Bytes: 491,754,836
Time: 4 minutes and 35 seconds

----------------------

Verify Status
Operation: Verify After Backup
Active backup destination: miniQIC

Verify of "C:"
Backup set #1 on media #1
Backup description: "SBS Backup created on 8/25/2004 at 9:00 PM"
Verify started on 8/25/2004 at 11:23 PM.
Verify completed on 8/26/2004 at 1:24 AM.
Directories: 3762
Files: 45716
Different: 0
Bytes: 8,060,503,537
Time: 2 hours, 0 minutes, and 22 seconds

Verify of "D:"
Backup set #2 on media #1
Backup description: "SBS Backup created on 8/25/2004 at 9:00 PM"
Verify started on 8/26/2004 at 1:24 AM.
Verify completed on 8/26/2004 at 2:04 AM.
Directories: 974
Files: 12264
Different: 0
Bytes: 2,568,814,475
Time: 39 minutes and 50 seconds

Verify of "RAYLON1\Microsoft Information Store\First Storage Group"
Backup set #3 on media #1
Backup description: "SBS Backup created on 8/25/2004 at 9:00 PM"
Verify started on 8/26/2004 at 2:04 AM.
Verify completed on 8/26/2004 at 2:19 AM.
Directories: 4
Files: 0
Different: 0
Bytes: 1,342,350,224
Time: 15 minutes and 31 seconds

Verify of "System State"
Backup set #4 on media #1
Backup description: "SBS Backup created on 8/25/2004 at 9:00 PM"
Verify started on 8/26/2004 at 2:19 AM.
Verify completed on 8/26/2004 at 2:25 AM.
Directories: 257
Files: 2628
Different: 0
Bytes: 491,754,836
Time: 5 minutes and 28 seconds

----------------------

=======================<END NTBACKUP LOG FILE>=====================
NTBackup finished the backup with errors.

For more information about failed backups, see the article on
troubleshooting your backup at the following Web page:
http://go.microsoft.com/fwlink/?LinkId=18414

Backup ended at Thursday, August 26, 2004 2:25 AM
Backup Runner finished.

--
Thanks,
Bill V
SBS Rules!

BillV

unread,
Aug 26, 2004, 9:53:03 AM8/26/04
to
Whoops... Forgot the part about Trend Micros Real time scan.

It seems that on the days when the backup fails I have a Real Time Scan pop
up box on my desktop. The pop up lists 400+ viruses. ALL of the files listed
in the real time scan are in the \Device\HarddiskVolumeShadowCopy483\Program
Files\Trend\SMCF\Quarantine\2004-08-25\09\24\ folder. The "shadowcopyXXX" and
dates change for each post.

I purge the quarantine folder DAILY. I purge the BadMail folder DAILY (SP1
not yet installed). I also delete Shadow Copies from the c:\ - properties -
shadow copy screen DAILY. Usually I keep 2-3 days of shadow copies available.
Since NONE of my clients are on XP the shadow copy feature is not much help
for them, only for the backup routine.

Where are all of the 400+ viruses in the
\Device\HarddiskVolumeShadowCopy483... coming from???

It's not possible to exclude this file in Trends Real Time Scan settings
because it's not an actual file location.

Any thoughts would be greatly appreciated.

Thanks,
Bill V
SBS Rules!

Chris Puckett [MSFT]

unread,
Aug 26, 2004, 12:16:33 PM8/26/04
to
Try moving the quarantine to a folder outside:
- \Windows
- \Program Files
- \Documents and Settings

Then using the backup configuration wizard, choose to exclude this folder
from the backups.

Chris Puckett, MCSE
Microsoft Small Business Server Support


This posting is provided "AS IS" with no warranties, and confers no rights.

BillV

unread,
Aug 26, 2004, 12:31:01 PM8/26/04
to
Chris,

Thanks for the reply. Are you saying to create a \smcf\quarantine folder in
the root directory possibly?

I think the real dilemma is how/where is the real time scan finding the 400+
viruses in the \Device\HarddiskVolumeShadowCopyXXx?

Is there a way to remove these files from shadow copy? They go back quite a
long time but the actual "shadow copies" in the c:\ - properties - shadow
copies are only a day or two old.

Thanks,
Bill V

Chris Puckett [MSFT]

unread,
Aug 26, 2004, 5:52:24 PM8/26/04
to
Yes, move the quarantine folder so that it is not located under any of the
following paths on any drives:

- \Windows
- \Program Files
- \Documents and Settings

Then exclude the quarantine folder from the backup.
After the next backup runs, see if it reports that it completed
successfully.


As far as the virii in the old shadow copies, try the following to remove
the old shadow copies:

1. Run "vssadmin list shadows > shadows.txt" (without quotes).
2. The shadows.txt file should then show you all of the
\Device\HarddiskVolumeShadowCopyXXX storage areas and when they were
created. You can use the dates in this output file to associate the
HarddiskVolumeShadowCopyXXX entries to the ones you want to remove in the
GUI. Note, you can also use the command "vssadmin delete shadows
/shadow=<shadow copy set id>" (without quotes) to delete the individual
previous versions.

3. Open the Computer Management console.
4. Right-click Shared Folders, point to All Tasks, and then click Configure
Shadow Copies.
5. Select a volume that has shadow copies enabled to view the shadow copies
of the selected volumes.
6. Then you can select the old ones and delete them.

7. You can also highlight the volumes and click the Settings button to
adjust the maximum size of the shadow copy storage area so you don't keep
as many old copies.


Chris Puckett, MCSE
Microsoft Small Business Server Support


This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

BillV

unread,
Aug 27, 2004, 8:51:01 AM8/27/04
to
Chris,

Thanks again for the reply. Here's what I did:
1. changed the quarantine folder to D:\trend\SMCF\Quarantine
2. Ran the bakcup wizard and excluded the folder
3. Ran the vssadmin command (results below)
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001 Microsoft Corp.

Contents of shadow copy set ID: {c38d3fc0-f56d-4b5f-9bb9-c3c6ad7ca260}
Contained 1 shadow copies at creation time: 8/25/2004 7:00:11 AM
Shadow Copy ID: {beebbae3-1ecf-4cb3-a117-4e3d95ae3a29}
Original Volume:
(C:)\\?\Volume{43c63360-242a-11d8-8162-806e6f6e6963}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy480
Originating Machine: raylon1.RaylonCorporation.local
Service Machine: raylon1.RaylonCorporation.local
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessible
Attributes: Persistent, Client-accessible, No auto release, No
writers, Differential

Contents of shadow copy set ID: {4f99479c-2910-4b7b-9fda-1d87df1270bb}
Contained 1 shadow copies at creation time: 8/25/2004 12:00:13 PM
Shadow Copy ID: {0475c6ea-3628-4f0f-9735-63a5e500cd3b}
Original Volume:
(C:)\\?\Volume{43c63360-242a-11d8-8162-806e6f6e6963}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy481
Originating Machine: raylon1.RaylonCorporation.local
Service Machine: raylon1.RaylonCorporation.local
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessible
Attributes: Persistent, Client-accessible, No auto release, No
writers, Differential

Contents of shadow copy set ID: {24981e5b-5acf-49c1-88d6-09e1a23e33e3}
Contained 1 shadow copies at creation time: 8/26/2004 7:00:11 AM
Shadow Copy ID: {d5cdb63e-d941-496c-9744-e7e0a5c5ac78}
Original Volume:
(C:)\\?\Volume{43c63360-242a-11d8-8162-806e6f6e6963}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy484
Originating Machine: raylon1.RaylonCorporation.local
Service Machine: raylon1.RaylonCorporation.local
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessible
Attributes: Persistent, Client-accessible, No auto release, No
writers, Differential

Contents of shadow copy set ID: {d294aad7-e6e7-4287-9250-880e5c1741e6}
Contained 1 shadow copies at creation time: 8/26/2004 12:00:11 PM
Shadow Copy ID: {64f69881-b5db-42a0-afe9-ee9b4875d9ce}
Original Volume:
(C:)\\?\Volume{43c63360-242a-11d8-8162-806e6f6e6963}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy485
Originating Machine: raylon1.RaylonCorporation.local
Service Machine: raylon1.RaylonCorporation.local
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessible
Attributes: Persistent, Client-accessible, No auto release, No
writers, Differential

Contents of shadow copy set ID: {30d60353-9ba7-4f99-a0a6-0bd5d6ae5889}
Contained 1 shadow copies at creation time: 8/27/2004 7:00:12 AM
Shadow Copy ID: {5d0f20de-7678-4f17-8fb2-2b90224284f7}
Original Volume:
(C:)\\?\Volume{43c63360-242a-11d8-8162-806e6f6e6963}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy488
Originating Machine: raylon1.RaylonCorporation.local
Service Machine: raylon1.RaylonCorporation.local
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessible
Attributes: Persistent, Client-accessible, No auto release, No
writers, Differential

This morning the real time scan again listed 400+ virus messages in shadow
copy. When I review the list, they go back to April. So, I have 4+ months of
supposed shadow copy files that Trend is scanning but only 3 or so days of
actual shadow copies in computer management.

Maybe Trend has a saved file of shadow copy results somewhere? Make sense?

Thanks,
Bill V
SBS Rules!

Chris Puckett [MSFT]

unread,
Aug 27, 2004, 2:58:11 PM8/27/04
to
I cannot find any explanation as to why Trend Micro's real time scan would
know about
volume shadow copies that have been deleted from vssadmin.

You could try disabling and enabling shadow copies on the volume in
question. However, if you do this, it will permanently delete the existing
shadow copies that you can go back to.

0 new messages