4
1
Recently I setup a backup for some folders. Today I found out that windows defender won't let the backup service do its job.
But how do I exclude the backup's shadow copy from windows defender?
It's not like I can point it to a file or folder and say "Don't check here".
Heck I tried excluding the entire backup drive, with no success.
And if I exclude .exes I might as well disable defender entirely.
martixy
Posted 2017-01-27T22:43:59.630
Reputation: 362
1
I'm not sure that excluding a volume shadow copy is actually what you need to do. I thought I was in the same boat as you... Windows Backup and Restore was reporting failed backups due to malware. The only references I could find in Windows Defender was to a path similar to Device\HarddiskVolumeShadowCopy5\Download\something.crx, and searching similar paths on my actual drives wasn't turning anything up.
My first clue was when I tried to redo the backup manually, I noticed the first step was "Create Shadow Volume." This made me think that Defender must not be so stupid after all, and perhaps it was catching something being copied from a source drive. After futher investigation, turns out some symbolic links (folder aliases) I had created was confusing the issue and I finally did turn up the reported file (downloaded over 5 years ago!) that it was complaining about. Now why full scans from Defender doesn't find it, but real time access during backup does, is a separate issue.
Likely you aren't as inept as me with locating the reported malware file(s), but maybe you do have a tenacious bad guy that is either having trouble being cleaned up, yet hiding itself well, or that keeps re-infecting the system from another vector.
DannyMeister
Posted 2017-01-27T22:43:59.630
Reputation: 111
he did not mention that it is malware – symbiont – 2020-01-18T04:04:13.460
@symbiont Defender can interfere with backups if malware is detected in the backup. The asker mentions in a comment that Defender had a problem with a specific (but dynamically re-pathed in the shadow copy) exe. I think it's a very logical conclusion that Defender was detecting it as malware. – DannyMeister – 2020-01-23T00:21:01.917
then i disagree with your conclusion. windows defender doesn't only detect malware, not to mention false positives. and again, the asker did not even mention the word malware. i'm not sure what you mean with "dynamically re-patched in the shadow copy" – symbiont – 2020-01-23T20:45:54.773
0
use the notification:
this seems to work better than trying to exclude a path to the shadow volume "file:\Device\HarddiskVolumeShadowCopy16\Download\some_file.exe", which it doesn't recognize.
symbiont
Posted 2017-01-27T22:43:59.630
Reputation: 101
"But how do I exclude the backup's shadow copy from windows defender?" Create an expection for the shadow volume copy location. This is safe because your not excluding the original location. You can also adjust the workflow scans happen well before a backup happens – Ramhound – 2017-01-27T23:22:19.630
1This does not work. I guess it isn't very obvious the way I wrote it, but it is the very first thing I tried. – martixy – 2017-01-27T23:38:59.403
So what else have you tried but fail to mention? – Ramhound – 2017-01-27T23:43:00.460
Added the string "VSSVC" to excluded processes. Didn't work. Gave up, turned off Defender, ran backup manually. I'd like however, to not have to babysit it. – martixy – 2017-01-27T23:48:47.153
What exactly did you mean, when you said, "It's not like I can point it to a file or folder and say "Don't check here".". – Ramhound – 2017-01-28T00:08:48.257
VSS does not create normal files. I have no idea exactly what it creates, but they're not accessible parts of the filesystem. At least not through explorer.exe. The path reported by defender is
file:\Device\HarddiskVolumeShadowCopy16\Download\some_file.exe– martixy – 2017-01-28T00:24:15.350Let us continue this discussion in chat.
– martixy – 2017-01-28T00:30:29.3971Did you find a resolution? I too have backups being blocked to some browser modification malware found in a volume shadow copy. The malware doesn't exist on the drives being backed up. – DannyMeister – 2017-07-11T00:15:23.537
This is still an issue that can really slow down backups. I came across it when using ToDo Backup to make a belt-n-braces backup of a client's OneDrive. When you ran the full backup, msmpeng.exe was reading every single file in the shadow copy. Worse, and possibly a fault with ToDo Backup, but when running the incremental, it also scans every file. Cobian Backup triggers msmpeng.exe as well on the full backup but not on the incrementals – munrobasher – 2020-02-24T13:19:26.320