Jump to content
Telos

VSS snapshots filling "C-drive"

Recommended Posts

I run daily incremental images with Macrium Reflect. Since upgrading to MBAM 3.0 the vss snapshots used by Macrium Reflect are not being deleted from the System Volume Information folder. I read somewhere that the Ransomware module is the culprit. Right now I have 15gigs of these files, and the only reliable way of deleting them is to disable system protection (System Restore) which deletes all restore points.

Is there a Ransomware setting that prevents these files from being deleted? Or something else I should be doing?

2016-12-12_13h53_26.png

Share this post


Link to post
Share on other sites

I noticed the same problem; only solution for now is to turn off the ransomware protection before making an image with Macrium Reflect and enable it again afterwards ...

I'm using MB version 3.0.5.1299 and latest Macrium Reflect Home Edition version 6.3.1665 (I disabled system restore in Windows as I don't use it). This issue is also largely discussed on Wilders Security Forums here

If not done yet, this issue should be passed to the developers.

Thanks for your time !   :)

Edited by throkr
added info about system restore

Share this post


Link to post
Share on other sites

It has been reported, and supposedly a bug report was filed.  However it didn't make the known issues list.  One thing I've found is that if you take one image with the Ransomeware off then all those files are deleted.

I know it might be a challenge to fix it, but it should be a challenge to get it on the known issues list.

Pete

Share this post


Link to post
Share on other sites

Thanks for these infos and let's wait for a future correction of this quite annoying bug.

Share this post


Link to post
Share on other sites
40 minutes ago, Peter2150 said:

One thing I've found is that if you take one image with the Ransomeware off then all those files are deleted.

1

That worked ONLY the first time I tried it. A day later when I had left Ransomware active I got another vss remnant after imaging. So I attempted to delete it by taking another image w/Ransomware inactive... that failed, even with MBAM exited. I then had to disable system protection (toggle off/toggle on) to clear the leftover vss remnants. So now I get these leftovers with each drive image run (one for each drive partition) regardless of Ransomware's on/off setting.

Share this post


Link to post
Share on other sites

Not something I understand much about, but is it likely that anything that makes a shadow copy is likely to leave residue? On my Windows 7 Home Premium system, I use Casper 10 to make alternate incremental bootable backups to drives in USB enclosures. I have Malwarebytes 3.0.5 Premium installed and also have System Restore enabled to use 5% of my C: drive. I also use the Registry Backup component of Tweaking.com's Windows Repair to make regular registry backups using the VSS service. After viewing this post and the linked thread in the Wilders Security forum, I ran a Tree size report on my System Volume Information Folder and the size of the folder reported as 44.8 GB. I ran a Casper Backup after turning of the Ransomware component of MB and the folder size was then reported as 32.9 GB. So something does seem to be going on with Casper as well....... 

Will Registry Backup also be affected by this bug in MB 3.0 and be leaving snapshots in C: drive? And how would I identify them? 

Share this post


Link to post
Share on other sites
3 hours ago, TempLost said:

Not something I understand much about, but is it likely that anything that makes a shadow copy is likely to leave residue?

...

And how would I identify them? 

3

I read elsewhere that someone using Privazer saw a similar effect. To see if you are affected, you'll need to give yourself rights to the hidden System Volume Information file located directly under C:\. If you see bracketed file names like those in my post above, and their modified date corresponds to recent vss program activity, then your are affected. If no bracketed file names appear, then you have no worries.

Share this post


Link to post
Share on other sites

Hi Pedro

I am very familiar with this issue, as I do a lot of imaging.  If you need any help, you can reach me here or at Wilders.  I'd be glad to help.

 

Pete

Share this post


Link to post
Share on other sites
On 12/21/2016 at 10:02 AM, TempLost said:

Thanks for the info everybody, I'll await a fix from Malwarebytes.

Same here!

Share this post


Link to post
Share on other sites
1 hour ago, Peter2150 said:

Speaking of this I notice it still isn't on the list of known issues.  WHY??

Excellent remark (even more because this really is an annoying issue for people doing imaging very often) !

Share this post


Link to post
Share on other sites
3 hours ago, Peter2150 said:

Speaking of this I notice it still isn't on the list of known issues.  WHY??

Oops!  Somehow that slipped through, but I've just now updated the Known Issues list.  We hope to get a fix out for this shortly!

Share this post


Link to post
Share on other sites
2 hours ago, bdubrow said:

Oops!  Somehow that slipped through, but I've just now updated the Known Issues list.  We hope to get a fix out for this shortly!

Thank you!

Share this post


Link to post
Share on other sites

For the past week, I disabled MBAM auto-startup, and yet these vss snapshots continue to amass. I checked Task Manager and don't see anything MBAM-related running.I have MBAM Service set to manual.

Odd to see this continuing despite MBAM shut off.

FWIW I use Macrium's "Incrementals Forever" feature. Hope this gets settled soon. I have to reset Windows' restore points weekly now to manage OS partition space.

Share this post


Link to post
Share on other sites
3 minutes ago, Telos said:

For the past week, I disabled MBAM auto-startup, and yet these vss snapshots continue to amass. I checked Task Manager and don't see anything MBAM-related running.I have MBAM Service set to manual.

Odd to see this continuing despite MBAM shut off.

FWIW I use Macrium's "Incrementals Forever" feature. Hope this gets settled soon. I have to reset Windows' restore points weekly now to manage OS partition space.

I switched to a different product.

Share this post


Link to post
Share on other sites
25 minutes ago, max22 said:

I switched to a different product.

Did you uninstall MBAM? And do you still see vss files piling up after a Macrium image?

I just reset MBAM service from "manual" to disabled" to see if that stops this issue. 

Edited by Telos

Share this post


Link to post
Share on other sites
1 minute ago, Telos said:

Did you uninstall MBAM? And do you still see vss files piling up after a Macrium image?

Not exactly. I redid my whole system for the heck of it. No I do not.

Share this post


Link to post
Share on other sites

I'm still running Malwarebytes 3.0.5 Premium and notice what seems to be an increase in the size of the System Volume Information folder after Tweaking.com's Registry Backup runs, as it's set to do on my laptop every day. This uses the VSS service............

Share this post


Link to post
Share on other sites

Has this problem been fixed? 

I'm running Malwarebytes 3.4.5 and it is 2018....still seeing the vss snapshots from my daily incremental Macrium Reflect files amass in the SVI folder.

Is this still an unresolved problem?

2018-04-09_145941.jpg

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.