freeze/thaw VSS failures when Sophos AV is utilized

We're having a similar issue with Unitrends backup at our remote site. The Unitrends backups fail intermittently for our servers and there is no apparent rhyme or reason. Running the command vssadmin list writers form an elevated command prompt always shows several of the vss writers in a failed state, including the System Writer.

Sophos answer is to add the following exception to the servers' policy:

\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy*\ or GLOBALROOT\Device\HarddiskVolumeShadowCopy*\

Note: per Sophos support, it does not work if you add it to the global exceptions

http://sophos.com/kb/126726

Unfortunately, this solution has not worked for us and the problem appears to be getting worse with backups failing more frequently.

I've opened a case with Sophos last month. Apparently its been escalated to development, but so far no fixes that I've heard of. the workaround that works for me now, and as per Sophos Support is:

• 1. Disable Tamper Protection on the affected servers
• 2. Open Services.msc on each server
• 3. Stop and Disable the Sophos Health service
• 4. Reboot server and test backups

Thanks James. I am trying that today. I will post how it goes tomorrow after the backup finishes.

before a backup is about to begin, it might be worth running:

vsstrace.exe -l 255 –o C:\trace.txt

as detailed here:

https://blogs.technet.microsoft.com/askcore/2012/04/29/how-to-vss-tracing/

If you have a log of that when it works and fails, it might give more insight.  I assume you get an Application event log entry from VSS when it fails to correlate times.

Regards,

Jak

This solution worked for me. The backups have been successful ever since I applied. Thanks again!

Thanks for your workaround James. We also have freeze / thaw VSS failures on a regular basis across 10 servers being backed up. On average we will get at least one error across the 10 servers 50% of the time. Would you be able to help me with one or two questions please?

1. Is there an update on a resolution to this problem?
2. Once the Sophos Health service is disabled, how do I know if Sophos is working correctly? Is the only way to do a manual check?
3. I thought I could set up a task to stop and start the service on a schedule but the tamper protection would prevent it. Is there any way around this? I don't want to leave tamper protection off.
4. Should I also exclude Volume Shadow Copies from on access scans?
5. Windows server 2008 servers do not seem to suffer from this problem only 2012. Has anybody else noticed this?

As far as I am aware, Sophos Development are in conversation with Microsoft.  Hopefully there will be an update soon.

Regards

Jak

Bump. I hate to being put in position to choose between backup and antivirus reporting. This isn't acceptable.

Hi Everyone,

The reported issue (WINEP-8974) is being worked by development and we are awaiting an update from Mircosoft on this. We will be updating this thread with further developments.