This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

freeze/thaw VSS failures when Sophos AV is utilized

Unitrends has an article (5520, https://support.unitrends.com/UnitrendsBackup/s/article/ka040000000PmjMAAS/000005520?_ga=2.69789140.576488646.1505169382-1745831295.1501935182) on getting freeze/thaw VSS failures on devices running Sophos A/V when doing backups. 

I've got one server experiencing this with Unitrends. I've got another server with Windows Server Backups that keep failing , but I haven't tried uninstalling Sophos on the 2nd one yet to verify that this this the same issue.

 

is there any official word from Sophos on this? Has anyone else experienced this? 

 



This thread was automatically locked due to age.
  • We're having a similar issue with Unitrends backup at our remote site. The Unitrends backups fail intermittently for our servers and there is no apparent rhyme or reason. Running the command vssadmin list writers form an elevated command prompt always shows several of the vss writers in a failed state, including the System Writer.

    Sophos answer is to add the following exception to the servers' policy:

    \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy*\ or GLOBALROOT\Device\HarddiskVolumeShadowCopy*\

    Note: per Sophos support, it does not work if you add it to the global exceptions

    http://sophos.com/kb/126726

    Unfortunately, this solution has not worked for us and the problem appears to be getting worse with backups failing more frequently.

  • I've opened a case with Sophos last month. Apparently its been escalated to development, but so far no fixes that I've heard of. the workaround that works for me now, and as per Sophos Support is:

     

    • 1. Disable Tamper Protection on the affected servers
    • 2. Open Services.msc on each server
    • 3. Stop and Disable the Sophos Health service
    • 4. Reboot server and test backups
  • Thanks James. I am trying that today. I will post how it goes tomorrow after the backup finishes.

  • before a backup is about to begin, it might be worth running:

    vsstrace.exe -l 255 –o C:\trace.txt

    as detailed here:

    https://blogs.technet.microsoft.com/askcore/2012/04/29/how-to-vss-tracing/

    If you have a log of that when it works and fails, it might give more insight.  I assume you get an Application event log entry from VSS when it fails to correlate times.

    Regards,

    Jak

  • This solution worked for me. The backups have been successful ever since I applied. Thanks again!

  • Thanks for your workaround James. We also have freeze / thaw VSS failures on a regular basis across 10 servers being backed up. On average we will get at least one error across the 10 servers 50% of the time. Would you be able to help me with one or two questions please?

    1. Is there an update on a resolution to this problem?
    2. Once the Sophos Health service is disabled, how do I know if Sophos is working correctly? Is the only way to do a manual check?
    3. I thought I could set up a task to stop and start the service on a schedule but the tamper protection would prevent it. Is there any way around this? I don't want to leave tamper protection off.
    4. Should I also exclude Volume Shadow Copies from on access scans?
    5. Windows server 2008 servers do not seem to suffer from this problem only 2012. Has anybody else noticed this?

     

  • As far as I am aware, Sophos Development are in conversation with Microsoft.  Hopefully there will be an update soon.

    Regards

    Jak

  • Bump. I hate to being put in position to choose between backup and antivirus reporting. This isn't acceptable.

  • As workaround it would be great to have a possibility to schedule the "disable Tamper Protection" at a certain time in Sophos managed central.
     
    Then we can add a pre backup job to the IASO backup systemstate backup job to disable the sophos healt services and we do a post job to enable the health service and tamper Protection.
  • Hi Everyone,

    The reported issue (WINEP-8974) is being worked by development and we are awaiting an update from Mircosoft on this. We will be updating this thread with further developments.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.