Jump to content

VSS snapshots filling "C-drive"


Recommended Posts

I run daily incremental images with Macrium Reflect. Since upgrading to MBAM 3.0 the vss snapshots used by Macrium Reflect are not being deleted from the System Volume Information folder. I read somewhere that the Ransomware module is the culprit. Right now I have 15gigs of these files, and the only reliable way of deleting them is to disable system protection (System Restore) which deletes all restore points.

Is there a Ransomware setting that prevents these files from being deleted? Or something else I should be doing?

2016-12-12_13h53_26.png

Link to post
Share on other sites

I noticed the same problem; only solution for now is to turn off the ransomware protection before making an image with Macrium Reflect and enable it again afterwards ...

I'm using MB version 3.0.5.1299 and latest Macrium Reflect Home Edition version 6.3.1665 (I disabled system restore in Windows as I don't use it). This issue is also largely discussed on Wilders Security Forums here

If not done yet, this issue should be passed to the developers.

Thanks for your time !   :)

Edited by throkr
added info about system restore
Link to post
Share on other sites

It has been reported, and supposedly a bug report was filed.  However it didn't make the known issues list.  One thing I've found is that if you take one image with the Ransomeware off then all those files are deleted.

I know it might be a challenge to fix it, but it should be a challenge to get it on the known issues list.

Pete

Link to post
Share on other sites

40 minutes ago, Peter2150 said:

One thing I've found is that if you take one image with the Ransomeware off then all those files are deleted.

1

That worked ONLY the first time I tried it. A day later when I had left Ransomware active I got another vss remnant after imaging. So I attempted to delete it by taking another image w/Ransomware inactive... that failed, even with MBAM exited. I then had to disable system protection (toggle off/toggle on) to clear the leftover vss remnants. So now I get these leftovers with each drive image run (one for each drive partition) regardless of Ransomware's on/off setting.

Link to post
Share on other sites

Not something I understand much about, but is it likely that anything that makes a shadow copy is likely to leave residue? On my Windows 7 Home Premium system, I use Casper 10 to make alternate incremental bootable backups to drives in USB enclosures. I have Malwarebytes 3.0.5 Premium installed and also have System Restore enabled to use 5% of my C: drive. I also use the Registry Backup component of Tweaking.com's Windows Repair to make regular registry backups using the VSS service. After viewing this post and the linked thread in the Wilders Security forum, I ran a Tree size report on my System Volume Information Folder and the size of the folder reported as 44.8 GB. I ran a Casper Backup after turning of the Ransomware component of MB and the folder size was then reported as 32.9 GB. So something does seem to be going on with Casper as well....... 

Will Registry Backup also be affected by this bug in MB 3.0 and be leaving snapshots in C: drive? And how would I identify them? 

Link to post
Share on other sites

3 hours ago, TempLost said:

Not something I understand much about, but is it likely that anything that makes a shadow copy is likely to leave residue?

...

And how would I identify them? 

3

I read elsewhere that someone using Privazer saw a similar effect. To see if you are affected, you'll need to give yourself rights to the hidden System Volume Information file located directly under C:\. If you see bracketed file names like those in my post above, and their modified date corresponds to recent vss program activity, then your are affected. If no bracketed file names appear, then you have no worries.

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...

For the past week, I disabled MBAM auto-startup, and yet these vss snapshots continue to amass. I checked Task Manager and don't see anything MBAM-related running.I have MBAM Service set to manual.

Odd to see this continuing despite MBAM shut off.

FWIW I use Macrium's "Incrementals Forever" feature. Hope this gets settled soon. I have to reset Windows' restore points weekly now to manage OS partition space.

Link to post
Share on other sites

3 minutes ago, Telos said:

For the past week, I disabled MBAM auto-startup, and yet these vss snapshots continue to amass. I checked Task Manager and don't see anything MBAM-related running.I have MBAM Service set to manual.

Odd to see this continuing despite MBAM shut off.

FWIW I use Macrium's "Incrementals Forever" feature. Hope this gets settled soon. I have to reset Windows' restore points weekly now to manage OS partition space.

I switched to a different product.

Link to post
Share on other sites

25 minutes ago, max22 said:

I switched to a different product.

Did you uninstall MBAM? And do you still see vss files piling up after a Macrium image?

I just reset MBAM service from "manual" to disabled" to see if that stops this issue. 

Edited by Telos
Link to post
Share on other sites

  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.