7

Recently I setup a backup for some folders. Today I found out that windows defender won't let the backup service do its job.

But how do I exclude the backup's shadow copy from windows defender?

It's not like I can point it to a file or folder and say "Don't check here".
Heck I tried excluding the entire backup drive, with no success.

And if I exclude .exes I might as well disable defender entirely.

Run5k
  • 15,723
  • 24
  • 49
  • 63
martixy
  • 915
  • 2
  • 9
  • 19
  • "But how do I exclude the backup's shadow copy from windows defender?" Create an expection for the shadow volume copy location. This is safe because your not excluding the original location. You can also adjust the workflow scans happen well before a backup happens – Ramhound Jan 27 '17 at 23:22
  • 1
    This does not work. I guess it isn't very obvious the way I wrote it, but it is the very first thing I tried. – martixy Jan 27 '17 at 23:38
  • So what else have you tried but fail to mention? – Ramhound Jan 27 '17 at 23:43
  • Added the string "VSSVC" to excluded processes. Didn't work. Gave up, turned off Defender, ran backup manually. I'd like however, to not have to babysit it. – martixy Jan 27 '17 at 23:48
  • What exactly did you mean, when you said, "It's not like I can point it to a file or folder and say "Don't check here".". – Ramhound Jan 28 '17 at 00:08
  • VSS does not create normal files. I have no idea exactly what it creates, but they're not accessible parts of the filesystem. At least not through explorer.exe. The path reported by defender is `file:\Device\HarddiskVolumeShadowCopy16\Download\some_file.exe` – martixy Jan 28 '17 at 00:24
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/52634/discussion-between-martixy-and-ramhound). – martixy Jan 28 '17 at 00:30
  • 1
    Did you find a resolution? I too have backups being blocked to some browser modification malware found in a volume shadow copy. The malware doesn't exist on the drives being backed up. – DannyMeister Jul 11 '17 at 00:15
  • This is still an issue that can really slow down backups. I came across it when using ToDo Backup to make a belt-n-braces backup of a client's OneDrive. When you ran the full backup, msmpeng.exe was reading every single file in the shadow copy. Worse, and possibly a fault with ToDo Backup, but when running the incremental, it also scans every file. Cobian Backup triggers msmpeng.exe as well on the full backup but not on the incrementals – munrobasher Feb 24 '20 at 13:19

4 Answers4

1

I'm not sure that excluding a volume shadow copy is actually what you need to do. I thought I was in the same boat as you... Windows Backup and Restore was reporting failed backups due to malware. The only references I could find in Windows Defender was to a path similar to Device\HarddiskVolumeShadowCopy5\Download\something.crx, and searching similar paths on my actual drives wasn't turning anything up.

My first clue was when I tried to redo the backup manually, I noticed the first step was "Create Shadow Volume." This made me think that Defender must not be so stupid after all, and perhaps it was catching something being copied from a source drive. After futher investigation, turns out some symbolic links (folder aliases) I had created was confusing the issue and I finally did turn up the reported file (downloaded over 5 years ago!) that it was complaining about. Now why full scans from Defender doesn't find it, but real time access during backup does, is a separate issue.

Likely you aren't as inept as me with locating the reported malware file(s), but maybe you do have a tenacious bad guy that is either having trouble being cleaned up, yet hiding itself well, or that keeps re-infecting the system from another vector.

DannyMeister
  • 111
  • 3
  • he did not mention that it is malware – symbiont Jan 18 '20 at 04:04
  • @symbiont Defender can interfere with backups if malware is detected in the backup. The asker mentions in a comment that Defender had a problem with a specific (but dynamically re-pathed in the shadow copy) exe. I think it's a very logical conclusion that Defender was detecting it as malware. – DannyMeister Jan 23 '20 at 00:21
  • then i disagree with your conclusion. windows defender doesn't only detect malware, not to mention false positives. and again, the asker did not even mention the word malware. i'm not sure what you mean with "dynamically re-patched in the shadow copy" – symbiont Jan 23 '20 at 20:45
1

You can use PowerShell to add a wildcard pattern for all HD shadow copies to Windows Defender's exclusion list. The Defender settings GUI doesn't let you use wildcards, but the PowerShell command does:

PS C:\> Add-MpPreference -ExclusionPath "\Device\HarddiskVolumeShadowCopy*\"

Or, if you are using cmd.exe:

C:\> powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "\Device\HarddiskVolumeShadowCopy*\"
Gronteth
  • 3
  • 2
0xabc
  • 137
  • 2
  • 9
0

use the notification:

  • go to the notification by clicking on it, or go to [Start > Settings > Update & Security > Windows Security > Virus & Thread protection > Threat history > See full history].
  • then expand the threat > Actions > Allow.

this seems to work better than trying to exclude a path to the shadow volume "file:\Device\HarddiskVolumeShadowCopy16\Download\some_file.exe", which it doesn't recognize.

symbiont
  • 101
  • 2
0

Defender doesnt have an option to allow for vss "threats". In my case, they are not threats, they are nirsoft files I have already excluded in defender, but when they are being backed up they show as threats in vss and there are no exclusions allowed for vss, only quarantine and remove, so you need to exclude those files from backups altogether

gmmgm
  • 1