freeze/thaw VSS failures when Sophos AV is utilized

Unitrends has an article (5520, https://support.unitrends.com/UnitrendsBackup/s/article/ka040000000PmjMAAS/000005520?_ga=2.69789140.576488646.1505169382-1745831295.1501935182) on getting freeze/thaw VSS failures on devices running Sophos A/V when doing backups. 

I've got one server experiencing this with Unitrends. I've got another server with Windows Server Backups that keep failing , but I haven't tried uninstalling Sophos on the 2nd one yet to verify that this this the same issue.

 

is there any official word from Sophos on this? Has anyone else experienced this? 

 

  • We're having a similar issue with Unitrends backup at our remote site. The Unitrends backups fail intermittently for our servers and there is no apparent rhyme or reason. Running the command vssadmin list writers form an elevated command prompt always shows several of the vss writers in a failed state, including the System Writer.

    Sophos answer is to add the following exception to the servers' policy:

    \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy*\ or GLOBALROOT\Device\HarddiskVolumeShadowCopy*\

    Note: per Sophos support, it does not work if you add it to the global exceptions

    http://sophos.com/kb/126726

    Unfortunately, this solution has not worked for us and the problem appears to be getting worse with backups failing more frequently.

  • I've opened a case with Sophos last month. Apparently its been escalated to development, but so far no fixes that I've heard of. the workaround that works for me now, and as per Sophos Support is:

     

    • 1. Disable Tamper Protection on the affected servers
    • 2. Open Services.msc on each server
    • 3. Stop and Disable the Sophos Health service
    • 4. Reboot server and test backups
  • In reply to JamesGolden:

    Thanks James. I am trying that today. I will post how it goes tomorrow after the backup finishes.

  • In reply to DavidCraige:

    before a backup is about to begin, it might be worth running:

    vsstrace.exe -l 255 –o C:\trace.txt

    as detailed here:

    https://blogs.technet.microsoft.com/askcore/2012/04/29/how-to-vss-tracing/

    If you have a log of that when it works and fails, it might give more insight.  I assume you get an Application event log entry from VSS when it fails to correlate times.

    Regards,

    Jak

  • In reply to JamesGolden:

    This solution worked for me. The backups have been successful ever since I applied. Thanks again!

  • In reply to JamesGolden:

    Thanks for your workaround James. We also have freeze / thaw VSS failures on a regular basis across 10 servers being backed up. On average we will get at least one error across the 10 servers 50% of the time. Would you be able to help me with one or two questions please?

    1. Is there an update on a resolution to this problem?
    2. Once the Sophos Health service is disabled, how do I know if Sophos is working correctly? Is the only way to do a manual check?
    3. I thought I could set up a task to stop and start the service on a schedule but the tamper protection would prevent it. Is there any way around this? I don't want to leave tamper protection off.
    4. Should I also exclude Volume Shadow Copies from on access scans?
    5. Windows server 2008 servers do not seem to suffer from this problem only 2012. Has anybody else noticed this?

     

  • In reply to charles kavazy:

    As far as I am aware, Sophos Development are in conversation with Microsoft.  Hopefully there will be an update soon.

    Regards

    Jak

  • Bump. I hate to being put in position to choose between backup and antivirus reporting. This isn't acceptable.

  • As workaround it would be great to have a possibility to schedule the "disable Tamper Protection" at a certain time in Sophos managed central.
     
    Then we can add a pre backup job to the IASO backup systemstate backup job to disable the sophos healt services and we do a post job to enable the health service and tamper Protection.
  • Hi Everyone,

    The reported issue (WINEP-8974) is being worked by development and we are awaiting an update from Mircosoft on this. We will be updating this thread with further developments.

  • In reply to Gowtham Mani:

    When can we expect an update from Microsoft? Within several weeks, months, years? We are experiencing problems since several months now.....

  • In reply to Gowtham Mani:

    I can confirm this problem also exists on our Server 2016 Essentials with Acronis Backup 12.5 Standard Server. I disabled Tamper Protection and Sophos Health Service for now, but this leaves us in a very uncomfortable situation. Our customer has no internal IT and we provide all IT Services for him, but it is crucial for us to have all remote management informations. Now we are blind in terms of Sophos Server Protection.

  • In reply to Gowtham Mani:

    Hi is there a time period where the problem will be fixed?

    Because this thread is open a very long time now.