We were hit by the klez virus over the weekend. In trying to restore some files from pre infected state I found what appears to be a fatal flaw in the way I have versioning set up (or a "feature" in tsm). We are running win/nt 4.0 sp6a and tsm 4.2.1 client, the server is on aix and also 4.2.1. These are the parms I am using.
Versions Data Exists NOLIMIT Versions Data Deleted 2 Retain Extra Versions 33 Retain Only Version 365 Copy Mode MODIFIED Copy Serialization SHRSTATIC Copy Frequency 0 The idea was to be able to keep up to the last 33 days of changes to any given file. What happened is this - when our virus program detected the virus it renamed the files from .exe to .avb. Tivoli, it appears, did not make a distinction between the files and just backed up the new .avb file as a newer version of the .exe file. Since the .exe had not been changed since the end of November, the only good backup of that file was dropped because it was over 33 days old. I believe that this is what is occurring because when I look at the file details for these files (on the restore screen) I see this: Name Size Modified Created Backed up hqd.avb 98 kb 29-nov-01 02-mar-02 03-mar-02 Note that the create date is more than 3 months later than the modified date. My questions are: 1. does this sound like a bug in tsm? 2. is it more likely a problem in the way the anti-virus software is renaming the file? 3. Is there any was to tell tivoli to keep a certain minimum number of versions, something along the lines of a RETAIN MINIMUM VERSIONS so that both high and low water marks and be kept for any given copygroup? Your help is greatly appreciated. Cory Heikel Sr. Systems engineer Milton S. Hershey Medical Center (717) 531-7972
