Re: Restoring virus infected file halts TSM client

[Bent Christensen (BVC)]

Hi Andrew,

Thanks for your response and suggestion.

I have been using the weekend to dig a little deeper into the issue, and it 
turns out that if I just restore the folder containing the infected file, TSM 
restores all other files and just responds with a:

01/19/2023 15:58:57 ANSE ..\..\common\winnt\ntrc.cpp(784): Received Win32 
RC 225 (0x00e1) from HlClose(): CreateFile. Error description: Operation 
did not complete successfully because the file contains a virus or potentially 
unwanted software.

But if I run 3-4 or more DSMC RESTORE sessions simultaneously the session which 
has the infected file terminates with this in DSMERROR.LOG:
01/18/2023 17:27:31 ANSE ..\..\common\winnt\ntrc.cpp(784): Received Win32 
RC 225 (0x00e1) from HlClose(): CreateFile. Error description: Operation 
did not complete successfully because the file contains a virus or potentially 
unwanted software.
01/18/2023 17:27:42 ANS1028S An internal program error occurred.

In the last scenario the server receiving the restore is pretty heavily loaded 
on CPU usage with Windows Defender using the major part of the CPUs.

So I will open a case with IBM Support and report this.

 - Bent

-Original Message-
From: ADSM: Dist Stor Manager  On Behalf Of Andrew Raibeck
Sent: Thursday, January 19, 2023 2:19 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Restoring virus infected file halts TSM client

Hello Brent,

Without knowing the specific details of the errors you see, one thing you can 
try is to add this line to the dsm.opt file:

TESTFLAGS CONTINUERESTORE

Restart the client, and see if that causes the operation to continue with the 
next file after an error is reported.

If that does not work, then what error message(s) do you see? What messages, 
coincident with the failed restore, are logged to dsmerror.log? Be sure to 
include the full text, though you can redact user names and file names, as 
appropriate.

Based on that, I might have some other ideas, or else I will suggest opening a 
case with IBM Support.

Unsolicited thought that might be redundant, but I mention it anyway :-) please 
use appropriate care when restoring the files, even if the AV software is 
guarding against suspicious files.

Regards,

Andy

Andrew Raibeck
IBM Spectrum Protect Level 3
IBM Storage
stor...@us.ibm.com

IBM

-Original Message-
From: ADSM: Dist Stor Manager  On Behalf Of Bent 
Christensen (BVC)
Sent: Thursday, 19 January, 2023 06:02
To: ADSM-L@VM.MARIST.EDU
Subject: [EXTERNAL] Restoring virus infected file halts TSM client

Hello,

Just wondered if anyone have had the same issue and maybe found a solution for 
it:

Now and then we are tasked with restoring data that were backed up very long 
ago back to Windows file shares. In a few cases it turns out that some of these 
old files are infected by virus/malware which was not detected by the AV 
application at the time when the malicious file was written.

When the TSM client tries to restore an infected file back to a Windows server, 
the AV application on the Windows server will of course prevent the file from 
being written. However, the TSM client interprets this as an disk error (or 
something) and terminates the restore processes so any subsequent non-infected 
files are not restored, making it almost impossible to do un-monitored restores 
of these data sets.

Would really appreciate it if anyone got some ideas to circumvent this (except 
for disabling the AV application while restoring)?

Regards

Bent


COWI handles personal data as stated in our Privacy 
Notice<https://www.cowi.com/privacy >.
COWI handles personal data as stated in our Privacy 
Notice<https://www.cowi.com/privacy>.

Restoring virus infected file halts TSM client

[Bent Christensen (BVC)]

Hello,

Just wondered if anyone have had the same issue and maybe found a solution for 
it:

Now and then we are tasked with restoring data that were backed up very long 
ago back to Windows file shares. In a few cases it turns out that some of these 
old files are infected by virus/malware which was not detected by the AV 
application at the time when the malicious file was written.

When the TSM client tries to restore an infected file back to a Windows server, 
the AV application on the Windows server will of course prevent the file from 
being written. However, the TSM client interprets this as an disk error (or 
something) and terminates the restore processes so any subsequent non-infected 
files are not restored, making it almost impossible to do un-monitored restores 
of these data sets.

Would really appreciate it if anyone got some ideas to circumvent this (except 
for disabling the AV application while restoring)?

Regards

Bent


COWI handles personal data as stated in our Privacy 
Notice.

SQL query for outstanding requests?

[Bent Christensen (BVC)]

Hi,

Does anyone know how to query the TSM DB2 for outstanding requests with a 
SELECT statement?

I basically need to do much the same as QUERY REQUEST does, but I only need a 
Yes or No and would like to avoid parsing the output of QUERY REQUEST.


 - Bent


COWI handles personal data as stated in our Privacy 
Notice.

Re: server interim fix level 8.1.9.300

[Bent Christensen (BVC)]

Due to:

IT31576: CONTAINER COPY TAPES DO NOT RETURN FROM PENDING STATE PROPERLY

IT32181: AFTER SERVER UPGRADE TO 8.1.9.100 "PROTECT STGPOOL" DOES NOT PROTECT 
ANY EXTENTS

I guess the latter one is why 8.1.9.100 is withdrawn?

 - Bent

-Original Message-
From: ADSM: Dist Stor Manager  On Behalf Of Christian 
Scheffczyk
Sent: Tuesday, April 21, 2020 12:39 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] server interim fix level 8.1.9.300

Hello Bent,

thanks for the info! Do you have more details?
I'm using PROTECT STGPOOL on some instances but I don't see any errors?
O.k., I will schedule downtime.

Thanks and kind regards, Christian


Am 21.04.2020 um 12:27 schrieb Bent Christensen (BVC):
> If you are using PROTECT STGPOOL, either local or to another server, then: 
> Update!!!
>
>   - Bent
>
> -Original Message-
> From: ADSM: Dist Stor Manager  On Behalf Of
> Christian Scheffczyk
> Sent: Tuesday, April 21, 2020 11:54 AM
> To: ADSM-L@VM.MARIST.EDU
> Subject: [ADSM-L] server interim fix level 8.1.9.300
>
> Hello,
>
> yesterday I received emails from "IBM My Notifications" that server fix pack 
> 8.1.9.300 appeared, but I cannot find anywhere what changed?
> Document https://www.ibm.com/support/pages/node/1275274 has the download 
> links and document https://www.ibm.com/support/pages/node/1171654 says 
> "Interim fix 8.1.9.300 did not include APAR updates."
> So, what's new and is it important?
> Furthermore I have some of my servers running at level 8.1.9.100 which is 
> withdrawn from the ftp server, why?
> Is it save to run 8.1.9.100 or should I update asap?
> Could someone from IBM give a comment on this, thank you very much!
>
> Kind regards, Christian
> --
> Dr. Christian Scheffczyk 
> Philipps-Universität, Hochschulrechenzentrum (HRZ)
> Hans-Meerwein-Straße 6, Raum 05A06, D-35043 Marburg
> Fon: +49 (0)6421 28-23519, Fax: +49 (0)6421 28-26994 COWI handles
> personal data as stated in our Privacy Notice<https://www.cowi.com/privacy>.
>


--
Dr. Christian Scheffczyk  Philipps-Universität, 
Hochschulrechenzentrum (HRZ) Hans-Meerwein-Straße 6, Raum 05A06, D-35043 Marburg
Fon: +49 (0)6421 28-23519, Fax: +49 (0)6421 28-26994
COWI handles personal data as stated in our Privacy 
Notice<https://www.cowi.com/privacy>.

Re: server interim fix level 8.1.9.300

[Bent Christensen (BVC)]

If you are using PROTECT STGPOOL, either local or to another server, then: 
Update!!!

 - Bent

-Original Message-
From: ADSM: Dist Stor Manager  On Behalf Of Christian 
Scheffczyk
Sent: Tuesday, April 21, 2020 11:54 AM
To: ADSM-L@VM.MARIST.EDU
Subject: [ADSM-L] server interim fix level 8.1.9.300

Hello,

yesterday I received emails from "IBM My Notifications" that server fix pack 
8.1.9.300 appeared, but I cannot find anywhere what changed?
Document https://www.ibm.com/support/pages/node/1275274 has the download links 
and document https://www.ibm.com/support/pages/node/1171654 says "Interim fix 
8.1.9.300 did not include APAR updates."
So, what's new and is it important?
Furthermore I have some of my servers running at level 8.1.9.100 which is 
withdrawn from the ftp server, why?
Is it save to run 8.1.9.100 or should I update asap?
Could someone from IBM give a comment on this, thank you very much!

Kind regards, Christian
--
Dr. Christian Scheffczyk  Philipps-Universität, 
Hochschulrechenzentrum (HRZ) Hans-Meerwein-Straße 6, Raum 05A06, D-35043 Marburg
Fon: +49 (0)6421 28-23519, Fax: +49 (0)6421 28-26994
COWI handles personal data as stated in our Privacy 
Notice.

Re: Spectrum Protect PVU licensing

[Bent Christensen (BVC)]

Thanks, Del
I have requested them to do so.

 - Bent

-Original Message-
From: ADSM: Dist Stor Manager  On Behalf Of Del Hoobler
Sent: Monday, July 8, 2019 5:19 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Spectrum Protect PVU licensing

Hi Bent,

Please have the auditors contact me directly ASAP.

Thank you.

Del



"ADSM: Dist Stor Manager"  wrote on 07/08/2019
11:08:58 AM:

> From: "Bent Christensen (BVC)" 
> To: ADSM-L@VM.MARIST.EDU
> Date: 07/08/2019 11:15 AM
> Subject: [EXTERNAL] Spectrum Protect PVU licensing Sent by: "ADSM:
> Dist Stor Manager" 
>
> Hi,
>
> We are just going through an IBM license audit and to our overwhelming
> astonishment the IBM auditors want to charge us for licenses for test
> nodes - that is, the computers where we test the installation of new
> fix packs and interim fixes before deploying to our production
> environment.
> In our company, deploying untested software is a very efficient way of
> getting a permanent and self-payed vacation, and we really do not want
> to pay for evaluating other people's faulty software. If it was not
> for the test node licenses, we are fully compliant.
>
> So, have any of you been subject to demands for licensing test nodes?
>
> I should mention that we are currently PVU licensed but looking into
> capacity licensing so we can evolve our virtual environment backup
> strategy - but because of the audit results there is a more than fair
> chance that Veeam is going to run with that☹
>
>  - Bent, loyal TSM customer for 15+ years
>
>
> COWI handles personal data as stated in our Privacy Notice urldefense.proofpoint.com/v2/url?
> u=https-3A__www.cowi.com_privacy=DwIGaQ=jf_iaSHvJObTbx-
>
siA1ZOg=0hq2JX5c3TEZNriHEs7Zf7HrkY2fNtONOrEOM8Txvk8=D1L3hrbS2BGQTTc2u52YFQofS74J1SWDIfE-4_FP4GU=4yqC9LbeQ9zu5_7v3eTBFuZaSxsuSyIUKHowb0JTIvE=
> >.
>


COWI handles personal data as stated in our Privacy 
Notice<https://www.cowi.com/privacy>.

Spectrum Protect PVU licensing

[Bent Christensen (BVC)]

Hi,

We are just going through an IBM license audit and to our overwhelming 
astonishment the IBM auditors want to charge us for licenses for test nodes - 
that is, the computers where we test the installation of new fix packs and 
interim fixes before deploying to our production environment.
In our company, deploying untested software is a very efficient way of getting 
a permanent and self-payed vacation, and we really do not want to pay for 
evaluating other people's faulty software. If it was not for the test node 
licenses, we are fully compliant.

So, have any of you been subject to demands for licensing test nodes?

I should mention that we are currently PVU licensed but looking into capacity 
licensing so we can evolve our virtual environment backup strategy - but 
because of the audit results there is a more than fair chance that Veeam is 
going to run with that☹

 - Bent, loyal TSM customer for 15+ years


COWI handles personal data as stated in our Privacy 
Notice.