Behavior Shield & Shadow Copy issues

Hi all and good day,

after weeks of troubles with the shadow copy service while backing up data and hours of googeling I stumbled across this thread: http://forum.avast.com/index.php?topic=70882.0. I tried out disabling the behavior shield and issues gone. I even narrowed it down to disabling the “Das System auf nicht autorisierte Änderungen prüfen” (not sure what the english description is).

My setup as follows:

  • Athlon Phenom II X6 T1000
  • ASUS Crossfire Extreme MoBo
  • Vertex 3 SDD as primary hard disk
  • 3 more sata II hard drives
  • 2 Blu Ray drives
  • Windows 7/64 Bit
  • AVAST Internet Security 6.0.1105

My error scenario as follows:

  • Backing up daily with Roxio Retrospect (newest version 7.7.562)
  • Retrospect starts a back-up job by displaying “preparing for Shadow Copies”
  • Windows experiences a somewhat funny freeze for about 15-25 seconds before returning to normal; after that Reprospect starts the backup process but logs the unavailability of shadow copies
  • As a result subsequent errors are logged, e.g. if files are locked/not backed up properly
  • Windows records VSS 12341 error events for each drive; 4 in my case
  • Windows records VSS 12297 error event once
  • Windows records multiple Retrospect error events; one per volume in a given backup
  • Windows records volsnap 9 error events; one per drive

According to the recorded events it seems timeout related and if AVAST is the culprit it somehow must interfere with the MS Shadow Copy Service.

Is this really an avast issue? Somebody out there in the know about this?

Thanks for your responses

Kobe ???

Here are the detailed windows error events:
VSS 12341

Volumeschattenkopie-Warnung: Der Volumeschattenkopie-Dienst hat 0x000000000000003c Sekunden lang versucht, Volume \\?\Volume{db837d4a-8329-11e0-b514-806e6f6e6963}\ zu leeren und zu halten. Dies kann Probleme verursachen, wenn bei anderen Volumes im Schattenkopiesatz beim Warten auf die Freigabe-Schreiben-Phase eine Zeitüberschreitung auftritt, und dazu führen, dass die Schattenkopie nicht erstellt werden kann. Wiederholen Sie den Versuch, wenn die Datenträgeraktivität nicht mehr so hoch ist. Dadurch kann dieses Problem ggf. behoben werden. 

Vorgang:
   Asynchroner Vorgang wird ausgeführt

Kontext:
   Aktueller Status: flush-and-hold writes
   Volumename: \\?\Volume{db837d4a-8329-11e0-b514-806e6f6e6963}\

VSS 12297

Volumeschattenkopie-Dienstfehler: Die E/A-Schreibvorgänge können während des Schattenkopie-Erstellungszeitraums auf Volume "\\?\Volume{db837d4e-8329-11e0-b514-806e6f6e6963}\" nicht geleert werden. Der Volumeindex im Schattenkopiesatz ist 0. Fehlerdetails: Offen[0x00000000, Der Vorgang wurde erfolgreich beendet.
], Leerung[0x80042313, Der Schattenkopieanbieter hat beim Weiterleiten von Daten an das Volume, von dem eine Schattenkopie erstellt wird, das Zeitlimit überschritten. Ursache hierfür könnte eine hohe Aktivität auf dem Volume sein. Wiederholen Sie den Vorgang später, wenn das Volume nicht so stark ausgelastet ist.
], Freigabe[0x00000000, Der Vorgang wurde erfolgreich beendet.
], Ausführung[0x00000000, Der Vorgang wurde erfolgreich beendet.
]. 

Vorgang:
   Asynchroner Vorgang wird ausgeführt

Kontext:
   Aktueller Status: DoSnapshotSet

Retrospect error events

Die Beschreibung für die Ereignis-ID "1" aus der Quelle "Retrospect" wurde nicht gefunden. Entweder ist die Komponente, die dieses Ereignis auslöst, nicht auf dem lokalen Computer installiert, oder die Installation ist beschädigt. Sie können die Komponente auf dem lokalen Computer installieren oder reparieren.

Falls das Ereignis auf einem anderen Computer aufgetreten ist, mussten die Anzeigeinformationen mit dem Ereignis gespeichert werden.

Die folgenden Informationen wurden mit dem Ereignis gespeichert: 

Can't use Open File Backup option for Videoarchiv on Multimediaarchiv (G:), error -1017 ( insufficient permissions)

Der angegebene Ressourcentyp wurde nicht in der Image-Datei gefunden

volsnap 9 error events

Das Zeitlimit für den Lösch- und Speicherschreibvorgang für Volume "C:" wurde beim Warten auf eine Dateisystembereinigung überschritten.

Have you tried putting Retrospect in the Avast exclusion? You might also want to add it to the Behavior Shield > Trusted Processes. Let us know if this helps.

Since I do not read German, I will contact one of our other Evangelists to assist. Thank you.

Thanks for the quick response and sorry for the “German” - I post some translations/explanations from the net below. I tried retrospect.exe and VSSVC.exe as trusted processes but to no avail.

I am not sure if there is a specific volsnap task - at least it escapes me.

I will try the “exclusion” list and report back.

From MS TechNet for Volsnap 9

Explanation

This event indicates that Volume Snapshot Driver was not able to allocate enough system resources to perform an operation.
Cause

Possible causes include:

    The system is low on memory.
    The system is low on CPU resources.
    The system has a high disk I/O load.

   
User Action

Do one or more of the following:

    Monitor the system resources (CPU usage and disk I/O performance) to identify what is causing the system to be low on resources.
    Schedule Volume Shadow Copy Service or other operations during the least busy periods for the system.
    Move the Diff Area to a different, dedicated volume.

From Google for VSS 12341

Volume Shadow Copy Warning: VSS spent 0x000000000000003c seconds trying to flush and hold the volume \\?\Volume{e2be8753-0df6-11e0-8ce7-806e6f6e6963}\.  This might cause problems when other volumes in the shadow-copy set timeout waiting for the release-writes phase, and it can cause the shadow-copy creation to fail.  Trying again when disk activity is lower may solve this problem.

Operation:
   Executing Asynchronous Operation

Context:
   Current State: flush-and-hold writes

From MS TechNet for VSS 12297

Explanation

This event indicates that Volume Shadow Copy Service was not able to allocate enough system resources to perform an operation.
Cause

Possible causes include:

    The system is low on memory.
    The system is low on CPU resources.
    The system has a high disk I/O load.

   
User Action

Do one or more of the following:

    Monitor the system resources (CPU usage and disk I/O performance) to identify what is causing the system to be low on resources.
    Schedule Volume Shadow Copy Service or other operations during the least busy periods for the system.
    Move the Diff Area to a different, dedicated volume.

I am 100% sure that there is no specific high volume activity on the hard disk. My best guess is, something blocks the creation of shadow copies and that causes a time out.

Ta
Kobe

This is a little beyond me. Perhaps someone else can take a look at this.

Tech or DavidR. perhaps…?

if I understand your first post correctly your issue is gone once you’ve disabled the behavior shield right? … okay anyway when I had such issues disabling it wasn’t enough, I had to uninstall it completely. There’s been issues between the behavior shield and shadow copy in Windows since the behavior shield got “enhanced” in Avast 5.1 earlier this year, and I decided once for all to not use this shield… at all.

Thanks all for your kind replies. I installed the Avast English language pack to see what the correct wording in Bahavior Shield Main Settings is:

If I untick “Monitor the system for unauthoriszed modifications” and leave evrythuing else on it seems to work. Up till now no problems.

I also tried to put Retrospect folder in the in the Avast exclusion lsit, but that did not help either.

I have a funny feeling though, because before I came across this avast issue, I had working Retrospect backups, i.e. without Shadow Copy complaints; sometimes after a reboot. So for now I keep the setting unticked and will monitor over the next days (auto backups daile at 11:30 pm) and report back.

Later
Kobe

@Kobe: As you found out what you have to untick, I guess it’s already solved for you…!??
Nevertheless, if you want, you can send this issue to avast:
http://www.avast.com/de-de/contact-form.php?loadStyles (unter Technische Fragen) [German link]

PS: German section: http://forum.avast.com/index.php?board=24.0

@SafeSurf: Sorry for the delay, I was quite busy.

Thanks again. Not to worry about the English. That I am used to. I just did not know the exact wording of the feature I had turned off.

Anyway, it is solved in the way that my back-ups work now. I am still interested in what exactly causes the interference. In any case I usually do not like to miss out certain features.

I’ll post this on the Avast link you provided.

So far no probs any more with un-ticked AVAST feature.

Nice weekend

Kobe

You’re welcome…!
Dir auch ein schönes Wochenende, :slight_smile:
asyn