How to exclude Volume Shadow Copy from Symantec Endpoint Protection's scan process
search cancel

How to exclude Volume Shadow Copy from Symantec Endpoint Protection's scan process

book

Article ID: 154258

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

On some environments, when Windows Server Backup starts its background Auto Restore / Copy work, the server might freeze.

Server might freeze and be not responding.

Resolution

Avoid this potential conflict by excluding the Volume Shadow Copy from scan process.

In command prompt, type vssadmin list shadows to generate a list of VSS copy locations.  An example:
 
C:\Users\Administrator>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.
 
Contents of shadow copy set ID: {351ee02c-ddd6-4588-ad52-c8a492cca985}
   Contained 1 shadow copies at creation time: 5/12/2011 10:59:35 AM
      Shadow Copy ID: {a22acec8-e80a-474f-85a4-701aef423d99}
         Original Volume: (C:)\\?\Volume{29e5f939-3cac-11e0-ad9b-806e6f6e6963}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
         Originating Machine: ServerName
         Service Machine: ServerName
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessible
         Attributes: Persistent, Client-accessible, No auto release, No writers,
 Differential
 
Contents of shadow copy set ID: {4615fe12-fb9f-46ee-a1a1-ce21e5770c74}
   Contained 1 shadow copies at creation time: 5/12/2011 10:59:51 AM
      Shadow Copy ID: {4c6c2ba2-cc02-4c21-923e-8fdb004fbdf4}
         Original Volume: (D:)\\?\Volume{433499a2-7c73-11e0-b7e0-000c29d393e5}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4
         Originating Machine: ServerName
         Service Machine: ServerName
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessible
         Attributes: Persistent, Client-accessible, No auto release, No writers,
 Differential
 
Contents of shadow copy set ID: {281ffda8-2852-4a03-aa6c-6fc91992afea}
   Contained 1 shadow copies at creation time: 5/12/2011 11:03:14 AM
      Shadow Copy ID: {e208be72-70bb-47a3-a41c-5f9f94c1aa68}
         Original Volume: (D:)\\?\Volume{433499a2-7c73-11e0-b7e0-000c29d393e5}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6
         Originating Machine: ServerName
         Service Machine: ServerName
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: DataVolumeRollback
        Attributes: Persistent, No auto release, No writers, Differential

C:\Windows\system32>mklink /d d:\WindowsImageBackup \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\

Creates a symbolic link for D:\WindowsImageBackup <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\

 

Because you can not set the exclusion using string: (D:)\\?\Volume{433499a2-7c73-11e0-b7e0-000c29d393e5}\ or \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\ the following exclusions must be created:

 
On the desired Partition of copy, folder WindowsImageBackup has been created while setting Windows Server Backup Application.
 
In Central exception you have to add drive path to this folder as a security risk file and security risk folder.
For example: D:\WindowsImageBackup
Additionally, create an exception for the vssvc.exe process. (see screenshot)
 
 
 
Update this policy on the appropriate SEP client group.
 
As a confirmation that this policy is working, copy the Eicar test file to the WindowsImageBackup.
Run a scan – it should be ignored.
 
You can run as well the Windows Backup Server application to create the copy of another location in the WindowsImageBackup folder.
It should then function without any issues or freezes.
 
Ref: https://blogs.msdn.microsoft.com/adioltean/2008/02/28/a-simple-way-to-access-shadow-copies-in-vista/

Attachments

VSS central exception.JPG get_app
Powered by Wolken Software