Antivirus software may delete files required by the NetBackup Media Server Deduplication Option's deduplication engine (spoold), causing it to fail to start. Deleted files may also result in corrupt, unrestorable images.

Article: 100001540
Last Published: 2021-01-07
Ratings: 0 0
Product(s): NetBackup

Problem

Antivirus software may delete files required by the NetBackup Media Server Deduplication Option's deduplication engine (spoold), causing it to fail to start. Deleted files may also result in corrupt, unrestorable images.

Error Message

ERR [0000000001420F20]: 25002: _storeCheckContainers: container data file E:\Deduplication Backups\data/#####.bin is missing

Solution

Media server's running Deduplication Option (MSDP/PDDE) can have critical binary data files (.bin) deleted by AntiVirus software. These ".bin" may contain segments of files previously backed up files, hence deletion of these files can lead to dataloss and an inconsistent disk pool. Affected servers will result in the "NetBackup Deduplication Engine" (spoold) service stopping and not restarting, backups and restore functions will cease to function.

What is Affected:
Media Server Deduplication Option (MSDP/PDDE) configured Media Servers with Antivirus installed.  NetBackup version 7.0 and above.

How to Determine if Affected:

If spoold cannot be started, check the spoold log for messages similar to the following:
April 12 20:36:53 ERR [0000000001301740]: 25002: dcOutPlaceUpdate: failed to get stat of E:\Deduplication Backups\data/journal/0.bhd (The system cannot find the file specified. )
...
April 12 20:36:51 ERR [0000000001301740]: 25002: _storeClassCompactMain: falied to compact container 38158 (no such object)
April 12 20:36:52 INFO [0000000001301740]: COMPACT: dcOutPlaceUpdate dcid 38181
...
April 14 18:39:55 ERR [0000000001420F20]: 25002: _storeCheckContainers: container data file E:\Deduplication Backups\data/3038.bin is missing

Checking the disk pool installation path (in this case, E:\Deduplication Backups\data), it was discovered that two .bin files were missing:
3038.bin
31774.bin
Note: the associated .bhd files were still present.

The Application event logs on the media server revealed these messages:
Fri Apr 2 2010 02:17:48 Sophos Anti-Virus W1    Infected file "E:\Deduplication Backups\data\31774.bin" has been deleted.
Fri Apr 2 2010 02:17:48 Sophos Anti-Virus W2    Virus/spyware 'Mal/JSShell-B' has been detected in "E:\Deduplication Backups\data\31774.bin". Cleanup unavailable.
...
Wed Mar 24 2010 01:52:43      Sophos Anti-Virus W1    Infected file "E:\Deduplication Backups\data\3038.bin" has been deleted.
Wed Mar 24 2010 01:52:43      Sophos Anti-Virus W8    Virus/spyware 'W32/Chir-B' has been detected in "E:\Deduplication Backups\data\3038.bin". Cleanup failed.

These messages indicate that the two .bin files were deleted by Sophos Anti-Virus .

When no antivirus software is used on the client side, the potential exists that backups made from those clients may contain files with virus signatures (assuming compression and encryption are not used).  In such cases, it is possible that any container binary data on the media server could match a signature to any antivirus software running on that media server.

Formal Resolution:
As this is a function of the configuration of the antivirus software, this is not a NetBackup issue. There are no current plans to alter NetBackup behavior.
Recover the file from the quarantine folder, however, if the missing file could not be recovered, then recoverCR or crchk (NetBackup 7.5) should be used to resolve the issue.

From Version 7.7.3. MSDPcheck replaces recoverCR or crchk. Please contact Veritas Support if this is needed.

Software Alerts
 

Workaround:
To prevent this issue, antivirus software must be configured to exclude MSDP configured "Storage" and/or "Database" volumes.


Veritas strongly recommends the following best practices:
1. Always perform a full backup prior to and after any changes to your environment.
2. Always make sure that your environment is running the latest version and patch level.
3. Perform periodic "test" restores.

 

Was this content helpful?