Telos Posted December 17, 2016 ID:1081405 Share Posted December 17, 2016 I run daily incremental images with Macrium Reflect. Since upgrading to MBAM 3.0 the vss snapshots used by Macrium Reflect are not being deleted from the System Volume Information folder. I read somewhere that the Ransomware module is the culprit. Right now I have 15gigs of these files, and the only reliable way of deleting them is to disable system protection (System Restore) which deletes all restore points. Is there a Ransomware setting that prevents these files from being deleted? Or something else I should be doing? Link to post Share on other sites More sharing options...
throkr Posted December 20, 2016 ID:1082340 Share Posted December 20, 2016 (edited) I noticed the same problem; only solution for now is to turn off the ransomware protection before making an image with Macrium Reflect and enable it again afterwards ... I'm using MB version 3.0.5.1299 and latest Macrium Reflect Home Edition version 6.3.1665 (I disabled system restore in Windows as I don't use it). This issue is also largely discussed on Wilders Security Forums here If not done yet, this issue should be passed to the developers. Thanks for your time ! Edited December 20, 2016 by throkr added info about system restore Link to post Share on other sites More sharing options...
Peter2150 Posted December 20, 2016 ID:1082347 Share Posted December 20, 2016 It has been reported, and supposedly a bug report was filed. However it didn't make the known issues list. One thing I've found is that if you take one image with the Ransomeware off then all those files are deleted. I know it might be a challenge to fix it, but it should be a challenge to get it on the known issues list. Pete Link to post Share on other sites More sharing options...
throkr Posted December 20, 2016 ID:1082358 Share Posted December 20, 2016 Thanks for these infos and let's wait for a future correction of this quite annoying bug. Link to post Share on other sites More sharing options...
Telos Posted December 20, 2016 Author ID:1082359 Share Posted December 20, 2016 40 minutes ago, Peter2150 said: One thing I've found is that if you take one image with the Ransomeware off then all those files are deleted. 1 That worked ONLY the first time I tried it. A day later when I had left Ransomware active I got another vss remnant after imaging. So I attempted to delete it by taking another image w/Ransomware inactive... that failed, even with MBAM exited. I then had to disable system protection (toggle off/toggle on) to clear the leftover vss remnants. So now I get these leftovers with each drive image run (one for each drive partition) regardless of Ransomware's on/off setting. Link to post Share on other sites More sharing options...
TempLost Posted December 21, 2016 ID:1082536 Share Posted December 21, 2016 Not something I understand much about, but is it likely that anything that makes a shadow copy is likely to leave residue? On my Windows 7 Home Premium system, I use Casper 10 to make alternate incremental bootable backups to drives in USB enclosures. I have Malwarebytes 3.0.5 Premium installed and also have System Restore enabled to use 5% of my C: drive. I also use the Registry Backup component of Tweaking.com's Windows Repair to make regular registry backups using the VSS service. After viewing this post and the linked thread in the Wilders Security forum, I ran a Tree size report on my System Volume Information Folder and the size of the folder reported as 44.8 GB. I ran a Casper Backup after turning of the Ransomware component of MB and the folder size was then reported as 32.9 GB. So something does seem to be going on with Casper as well....... Will Registry Backup also be affected by this bug in MB 3.0 and be leaving snapshots in C: drive? And how would I identify them? Link to post Share on other sites More sharing options...
Telos Posted December 21, 2016 Author ID:1082590 Share Posted December 21, 2016 3 hours ago, TempLost said: Not something I understand much about, but is it likely that anything that makes a shadow copy is likely to leave residue? ... And how would I identify them? 3 I read elsewhere that someone using Privazer saw a similar effect. To see if you are affected, you'll need to give yourself rights to the hidden System Volume Information file located directly under C:\. If you see bracketed file names like those in my post above, and their modified date corresponds to recent vss program activity, then your are affected. If no bracketed file names appear, then you have no worries. Link to post Share on other sites More sharing options...
Staff pbust Posted December 21, 2016 Staff ID:1082615 Share Posted December 21, 2016 We're looking into it and hoping to add a fix for it soon. Link to post Share on other sites More sharing options...
Peter2150 Posted December 21, 2016 ID:1082634 Share Posted December 21, 2016 Hi Pedro I am very familiar with this issue, as I do a lot of imaging. If you need any help, you can reach me here or at Wilders. I'd be glad to help. Pete Link to post Share on other sites More sharing options...
TempLost Posted December 21, 2016 ID:1082648 Share Posted December 21, 2016 Thanks for the info everybody, I'll await a fix from Malwarebytes. Link to post Share on other sites More sharing options...
max22 Posted January 4, 2017 ID:1086568 Share Posted January 4, 2017 On 12/21/2016 at 10:02 AM, TempLost said: Thanks for the info everybody, I'll await a fix from Malwarebytes. Same here! Link to post Share on other sites More sharing options...
Peter2150 Posted January 4, 2017 ID:1086577 Share Posted January 4, 2017 Speaking of this I notice it still isn't on the list of known issues. WHY?? Link to post Share on other sites More sharing options...
throkr Posted January 4, 2017 ID:1086602 Share Posted January 4, 2017 1 hour ago, Peter2150 said: Speaking of this I notice it still isn't on the list of known issues. WHY?? Excellent remark (even more because this really is an annoying issue for people doing imaging very often) ! Link to post Share on other sites More sharing options...
bdubrow Posted January 4, 2017 ID:1086663 Share Posted January 4, 2017 3 hours ago, Peter2150 said: Speaking of this I notice it still isn't on the list of known issues. WHY?? Oops! Somehow that slipped through, but I've just now updated the Known Issues list. We hope to get a fix out for this shortly! Link to post Share on other sites More sharing options...
max22 Posted January 4, 2017 ID:1086707 Share Posted January 4, 2017 2 hours ago, bdubrow said: Oops! Somehow that slipped through, but I've just now updated the Known Issues list. We hope to get a fix out for this shortly! Thank you! Link to post Share on other sites More sharing options...
Peter2150 Posted January 4, 2017 ID:1086746 Share Posted January 4, 2017 Thanks Becky Link to post Share on other sites More sharing options...
throkr Posted January 5, 2017 ID:1086751 Share Posted January 5, 2017 Thank you for the update (and the forthcoming fix) ! Link to post Share on other sites More sharing options...
TempLost Posted January 5, 2017 ID:1086849 Share Posted January 5, 2017 Yes, thanks Becky - really needs fixing (along with all the other issues). Link to post Share on other sites More sharing options...
Telos Posted January 19, 2017 Author ID:1089805 Share Posted January 19, 2017 For the past week, I disabled MBAM auto-startup, and yet these vss snapshots continue to amass. I checked Task Manager and don't see anything MBAM-related running.I have MBAM Service set to manual. Odd to see this continuing despite MBAM shut off. FWIW I use Macrium's "Incrementals Forever" feature. Hope this gets settled soon. I have to reset Windows' restore points weekly now to manage OS partition space. Link to post Share on other sites More sharing options...
max22 Posted January 19, 2017 ID:1089807 Share Posted January 19, 2017 3 minutes ago, Telos said: For the past week, I disabled MBAM auto-startup, and yet these vss snapshots continue to amass. I checked Task Manager and don't see anything MBAM-related running.I have MBAM Service set to manual. Odd to see this continuing despite MBAM shut off. FWIW I use Macrium's "Incrementals Forever" feature. Hope this gets settled soon. I have to reset Windows' restore points weekly now to manage OS partition space. I switched to a different product. Link to post Share on other sites More sharing options...
Peter2150 Posted January 19, 2017 ID:1089808 Share Posted January 19, 2017 Pedro, it's been almost a month. Come on!! Link to post Share on other sites More sharing options...
Telos Posted January 19, 2017 Author ID:1089812 Share Posted January 19, 2017 (edited) 25 minutes ago, max22 said: I switched to a different product. Did you uninstall MBAM? And do you still see vss files piling up after a Macrium image? I just reset MBAM service from "manual" to disabled" to see if that stops this issue. Edited January 19, 2017 by Telos Link to post Share on other sites More sharing options...
max22 Posted January 19, 2017 ID:1089813 Share Posted January 19, 2017 1 minute ago, Telos said: Did you uninstall MBAM? And do you still see vss files piling up after a Macrium image? Not exactly. I redid my whole system for the heck of it. No I do not. Link to post Share on other sites More sharing options...
TempLost Posted January 19, 2017 ID:1089819 Share Posted January 19, 2017 I'm still running Malwarebytes 3.0.5 Premium and notice what seems to be an increase in the size of the System Volume Information folder after Tweaking.com's Registry Backup runs, as it's set to do on my laptop every day. This uses the VSS service............ Link to post Share on other sites More sharing options...
dydxdx Posted April 10, 2018 ID:1231590 Share Posted April 10, 2018 Has this problem been fixed? I'm running Malwarebytes 3.4.5 and it is 2018....still seeing the vss snapshots from my daily incremental Macrium Reflect files amass in the SVI folder. Is this still an unresolved problem? Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now