freeze/thaw VSS failures when Sophos AV is utilized

Unitrends has an article (5520, on getting freeze/thaw VSS failures on devices running Sophos A/V when doing backups. 

I've got one server experiencing this with Unitrends. I've got another server with Windows Server Backups that keep failing , but I haven't tried uninstalling Sophos on the 2nd one yet to verify that this this the same issue.


is there any official word from Sophos on this? Has anyone else experienced this? 


  • We're having a similar issue with Unitrends backup at our remote site. The Unitrends backups fail intermittently for our servers and there is no apparent rhyme or reason. Running the command vssadmin list writers form an elevated command prompt always shows several of the vss writers in a failed state, including the System Writer.

    Sophos answer is to add the following exception to the servers' policy:

    \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy*\ or GLOBALROOT\Device\HarddiskVolumeShadowCopy*\

    Note: per Sophos support, it does not work if you add it to the global exceptions

    Unfortunately, this solution has not worked for us and the problem appears to be getting worse with backups failing more frequently.

  • I've opened a case with Sophos last month. Apparently its been escalated to development, but so far no fixes that I've heard of. the workaround that works for me now, and as per Sophos Support is:


    • 1. Disable Tamper Protection on the affected servers
    • 2. Open Services.msc on each server
    • 3. Stop and Disable the Sophos Health service
    • 4. Reboot server and test backups
  • In reply to JamesGolden:

    Thanks James. I am trying that today. I will post how it goes tomorrow after the backup finishes.

  • In reply to DavidCraige:

    before a backup is about to begin, it might be worth running:

    vsstrace.exe -l 255 –o C:\trace.txt

    as detailed here:

    If you have a log of that when it works and fails, it might give more insight.  I assume you get an Application event log entry from VSS when it fails to correlate times.



  • In reply to JamesGolden:

    This solution worked for me. The backups have been successful ever since I applied. Thanks again!

  • In reply to JamesGolden:

    Thanks for your workaround James. We also have freeze / thaw VSS failures on a regular basis across 10 servers being backed up. On average we will get at least one error across the 10 servers 50% of the time. Would you be able to help me with one or two questions please?

    1. Is there an update on a resolution to this problem?
    2. Once the Sophos Health service is disabled, how do I know if Sophos is working correctly? Is the only way to do a manual check?
    3. I thought I could set up a task to stop and start the service on a schedule but the tamper protection would prevent it. Is there any way around this? I don't want to leave tamper protection off.
    4. Should I also exclude Volume Shadow Copies from on access scans?
    5. Windows server 2008 servers do not seem to suffer from this problem only 2012. Has anybody else noticed this?


  • In reply to charles kavazy:

    As far as I am aware, Sophos Development are in conversation with Microsoft.  Hopefully there will be an update soon.