Sophos Endpoint Server Protection - Hardiskvolumeshadowcopy

Hi all,

We are in the process of install Sophos Endpoint onto our serves. Some of our file store windows servers are coming back with malware warnings for files that it cannot clean up.

They look like the following:

I am not sure where it is pulling these locations from. We do not use shadow copies, they are disabled on all disks. It also seems to be unable to clean itself, the only action I have is "Marked as resolved". Can anyone shed some light on what this is and where it could be pulling this info from? The issue is that there are a LOT of them. The server is virtualised on VMware, the storage is ISCSI/SAN based, not sure if it is just displaying it strange because of that, but I don't understand why the paths seem to suggest shadow copies.

Thanks in advance.

  • Hi  

    This is usually seen if you have had Volume Shadow Copies enabled at some point, disabled and the copies were not deleted.

    We've also seen this instance occur if you use any other third party backup software that makes use of VSS services to create copies or snapshots.

    You can add a scanning exclusion for VSS paths in your Threat Protection Policy to prevent these alerts from occurring.

  • In reply to DianneY:

    DianneY

    Hi  

    This is usually seen if you have had Volume Shadow Copies enabled at some point, disabled and the copies were not deleted.

    We've also seen this instance occur if you use any other third party backup software that makes use of VSS services to create copies or snapshots.

    You can add a scanning exclusion for VSS paths in your Threat Protection Policy to prevent these alerts from occurring.

     

    Thank you for the clarification. Our concern is that we may end up excluding real data. But because the path has "volumeshadowcopy" in it, I am guessing this is not going to be data on the actual hard disks on the serve. We use DPM for backup and we use deduplication, but I don't think either of those makes use of shadow copies. If you go to each disk on the server shadow copies are disable so it is quite a strange thing.

  • In reply to David Ashcroft:

    DPM is using VSS and therefore is leveraging Volume Shadow Copy which would be why you are seeing the events logged about files in Volume Shadow Copy.  The reported events are 100% accurate on the files locations.