Windows 7 backup fails: Shadow copy problem and false positive

[Guest]

[rurikc]

Hi,

I am trying to make backups of my Windows 7 system using the native system backup.

One of the cygwin binaries has been detected — falsely I'd say — as being infected.
(cygwin\usr\X11R6\bin\xdvi-xaw.bin.exe as having Heur.Dual.Extensions)

I added an exclusion but it still appears in the shadow copy area and I don't know how to "remove" it from there (\Device\HarddiskVolumeShadowCopy<NN>).

It appears that this causes the backup to fail if the directory containing the file is included in the backup (backup completes successfully if directory is excluded).

So how do I tell Comodo that the shadow copy file is OK ?

(it does not appear in "quarantined items", and the original file is already marked as safe in "my own safe files")

Cheers,

[EricJH]

Do you see the event in View Defense + Events (Defense +  --> Common Tasks)? Can you post a screenshot of it?

[rurikc]

Do you see the event in View Defense + Events (Defense +  --> Common Tasks)?

No.

The only place I saw it is in the main screen, Virus Defense -> <##> threat(s) detected so far

Can you post a screenshot of it?

[EricJH]

Good catch by also checking the AV logs.

How is your heuristics level set in the AV? If it is set higher than Low heuristics will become much more chatty with higher chances of false positive; then try setting it to low.

If Heuristics was set to low add the offending file to the Exclusions.

[rurikc]

If Heuristics was set to low add the offending file to the Exclusions.

The file is already in the exclusion list (as I specified in my first post).

The way I think it works is:
- Windows 7 takes a snapshot via shadow copy then starts to backup the shadow copy.
- Comodo catches the shadow copy and flags it as infected.
- Windows 7 finishes the backup but marks it as bad because it could not backup the flagged file.

The snapshot location appear to vary each time (postfixed with <NN> two numbers), i.e. windows 7 creates a new shadow copy each time.

I don't even know if it's possible to add files from the shadow copy to the exclusion list, I guess it's not possible and makes little sense to me anyway as it's just a filesystem snapshot.

The backup fails even if Comodo is shut down (does it need a reboot to deactivate ? then it would be a major pain)

At this point I believe it's a Comodo bug: if a file is "excluded" from the disk then it should be automatically "excluded" from the shadow copy as well.

Regards.

[EricJH]

What happens when you add \Device\HarddiskVolumeShadowCopy* to the exclusions?

[_JoeCool_]

I also had this problem and I can confirm that creating the Exception solves my Backup woes...

Thanks, this should be included as a default value...

[Tags:]