Re: Restoring virus infected file halts TSM client

[Andrew Raibeck]

Hi Bent,

It sounds like a good idea to open a support case. Suggestion for doc you can 
collect in advance:

1. Add these options to the dsm.opt file:

  TRACEFLAGS SERVICE
  TRACEFILE C:\somedir\client_trace.txt

You can choose any valid file path for "C:\somedir\client_trace.txt".

2. Run the "dsmc restore ..." command and redirect stdout and stderr to a file. 
If you can reproduce it with a small directory, that will help keep the trace 
file from growing too large. For example:

  dsmc restore C:\mydata\ -subdir=yes > dsmc_restore.txt 2>&1

3. Collect the trace file, dsmc_restore.txt, and dsmerror.log, and submit them 
when you open the case.

I am not sure what causes the ANS0128S in this case. That message is issued 
several seconds after the ANSE, so I do not know if the messages are 
related to each other. If you can capture that in a trace, that might be 
insightful.

To collect documentation for several concurrent dsmc processes, you can do 
something like this:

  dsmc restore C:\mydata1\ -subdir=yes -traceflags=service 
-tracefile=C:\somedir\client_trace_1.txt > dsmc_restore_1.txt 2>&1
  dsmc restore C:\mydata2\ -subdir=yes -traceflags=service 
-tracefile=C:\somedir\client_trace_2.txt > dsmc_restore_2.txt 2>&1
  dsmc restore C:\mydata3\ -subdir=yes -traceflags=service 
-tracefile=C:\somedir\client_trace_3.txt > dsmc_restore_3.txt 2>&1
  dsmc restore C:\mydata4\ -subdir=yes -traceflags=service 
-tracefile=C:\somedir\client_trace_4.txt > dsmc_restore_4.txt 2>&1

Use your normal "dsmc restore" syntax, but add the -traceflags options, the 
-tracefile option, and output redirection as in the preceding examples.

Finally, based on the info you shared, I suggest you try the restore with this 
option:

  TESTFLAGS CONTINUEWITHUNKNOWNRC

See if that allows the restore to run to completion, skipping past the invalid 
files.

Best regards,

Andy

Andrew Raibeck
IBM Spectrum Protect Level 3
IBM Storage
stor...@us.ibm.com

IBM

-Original Message-
From: ADSM: Dist Stor Manager  On Behalf Of Bent 
Christensen (BVC)
Sent: Tuesday, 24 January, 2023 09:32
To: ADSM-L@VM.MARIST.EDU
Subject: [EXTERNAL] Re: Restoring virus infected file halts TSM client

Hi Andrew,

Thanks for your response and suggestion.

I have been using the weekend to dig a little deeper into the issue, and it 
turns out that if I just restore the folder containing the infected file, TSM 
restores all other files and just responds with a:

01/19/2023 15:58:57 ANSE ..\..\common\winnt\ntrc.cpp(784): Received Win32 
RC 225 (0x00e1) from HlClose(): CreateFile. Error description: Operation 
did not complete successfully because the file contains a virus or potentially 
unwanted software.

But if I run 3-4 or more DSMC RESTORE sessions simultaneously the session which 
has the infected file terminates with this in DSMERROR.LOG:
01/18/2023 17:27:31 ANSE ..\..\common\winnt\ntrc.cpp(784): Received Win32 
RC 225 (0x00e1) from HlClose(): CreateFile. Error description: Operation 
did not complete successfully because the file contains a virus or potentially 
unwanted software.
01/18/2023 17:27:42 ANS1028S An internal program error occurred.

In the last scenario the server receiving the restore is pretty heavily loaded 
on CPU usage with Windows Defender using the major part of the CPUs.

So I will open a case with IBM Support and report this.

 - Bent

-Original Message-
From: ADSM: Dist Stor Manager  On Behalf Of Andrew Raibeck
Sent: Thursday, January 19, 2023 2:19 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Restoring virus infected file halts TSM client

Hello Brent,

Without knowing the specific details of the errors you see, one thing you can 
try is to add this line to the dsm.opt file:

TESTFLAGS CONTINUERESTORE

Restart the client, and see if that causes the operation to continue with the 
next file after an error is reported.

If that does not work, then what error message(s) do you see? What messages, 
coincident with the failed restore, are logged to dsmerror.log? Be sure to 
include the full text, though you can redact user names and file names, as 
appropriate.

Based on that, I might have some other ideas, or else I will suggest opening a 
case with IBM Support.

Unsolicited thought that might be redundant, but I mention it anyway :-) please 
use appropriate care when restoring the files, even if the AV software is 
guarding against suspicious files.

Regards,

Andy

Andrew Raibeck
IBM Spectrum Protect Level 3
IBM Storage
stor...@us.ibm.com

IBM

-Original Message-
From: ADSM: Dist Stor Manager  On Behalf Of Bent 
Christensen (BVC)
Sent: Thursday, 19 January, 2023 06:02
To: ADSM-L@VM.MARIST.EDU
Subject: [EXTERNAL] Restoring virus infected file halts TSM client

Hello,

Just wondered if anyone have had the same issue and maybe found a solution for 
it:

Now and then we are tasked with restoring data that we

Re: Restoring virus infected file halts TSM client

[Bent Christensen (BVC)]

Hi Andrew,

Thanks for your response and suggestion.

I have been using the weekend to dig a little deeper into the issue, and it 
turns out that if I just restore the folder containing the infected file, TSM 
restores all other files and just responds with a:

01/19/2023 15:58:57 ANSE ..\..\common\winnt\ntrc.cpp(784): Received Win32 
RC 225 (0x00e1) from HlClose(): CreateFile. Error description: Operation 
did not complete successfully because the file contains a virus or potentially 
unwanted software.

But if I run 3-4 or more DSMC RESTORE sessions simultaneously the session which 
has the infected file terminates with this in DSMERROR.LOG:
01/18/2023 17:27:31 ANSE ..\..\common\winnt\ntrc.cpp(784): Received Win32 
RC 225 (0x00e1) from HlClose(): CreateFile. Error description: Operation 
did not complete successfully because the file contains a virus or potentially 
unwanted software.
01/18/2023 17:27:42 ANS1028S An internal program error occurred.

In the last scenario the server receiving the restore is pretty heavily loaded 
on CPU usage with Windows Defender using the major part of the CPUs.

So I will open a case with IBM Support and report this.

 - Bent

-Original Message-
From: ADSM: Dist Stor Manager  On Behalf Of Andrew Raibeck
Sent: Thursday, January 19, 2023 2:19 PM
To: ADSM-L@VM.MARIST.EDU
Subject: Re: [ADSM-L] Restoring virus infected file halts TSM client

Hello Brent,

Without knowing the specific details of the errors you see, one thing you can 
try is to add this line to the dsm.opt file:

TESTFLAGS CONTINUERESTORE

Restart the client, and see if that causes the operation to continue with the 
next file after an error is reported.

If that does not work, then what error message(s) do you see? What messages, 
coincident with the failed restore, are logged to dsmerror.log? Be sure to 
include the full text, though you can redact user names and file names, as 
appropriate.

Based on that, I might have some other ideas, or else I will suggest opening a 
case with IBM Support.

Unsolicited thought that might be redundant, but I mention it anyway :-) please 
use appropriate care when restoring the files, even if the AV software is 
guarding against suspicious files.

Regards,

Andy

Andrew Raibeck
IBM Spectrum Protect Level 3
IBM Storage
stor...@us.ibm.com

IBM

-Original Message-
From: ADSM: Dist Stor Manager  On Behalf Of Bent 
Christensen (BVC)
Sent: Thursday, 19 January, 2023 06:02
To: ADSM-L@VM.MARIST.EDU
Subject: [EXTERNAL] Restoring virus infected file halts TSM client

Hello,

Just wondered if anyone have had the same issue and maybe found a solution for 
it:

Now and then we are tasked with restoring data that were backed up very long 
ago back to Windows file shares. In a few cases it turns out that some of these 
old files are infected by virus/malware which was not detected by the AV 
application at the time when the malicious file was written.

When the TSM client tries to restore an infected file back to a Windows server, 
the AV application on the Windows server will of course prevent the file from 
being written. However, the TSM client interprets this as an disk error (or 
something) and terminates the restore processes so any subsequent non-infected 
files are not restored, making it almost impossible to do un-monitored restores 
of these data sets.

Would really appreciate it if anyone got some ideas to circumvent this (except 
for disabling the AV application while restoring)?

Regards

Bent


COWI handles personal data as stated in our Privacy 
Notice<https://www.cowi.com/privacy >.
COWI handles personal data as stated in our Privacy 
Notice<https://www.cowi.com/privacy>.

Re: Restoring virus infected file halts TSM client

[Francisco J]

Hello,

A possibility could be deleting filespace for that file, example:

https://adsm.org/forum/index.php?threads/delete-filespace-of-a-specific-filespace.11954/

Regards




El jue, 19 ene 2023 a las 5:04, Bent Christensen (BVC) ()
escribió:

> Hello,
>
> Just wondered if anyone have had the same issue and maybe found a solution
> for it:
>
> Now and then we are tasked with restoring data that were backed up very
> long ago back to Windows file shares. In a few cases it turns out that some
> of these old files are infected by virus/malware which was not detected by
> the AV application at the time when the malicious file was written.
>
> When the TSM client tries to restore an infected file back to a Windows
> server, the AV application on the Windows server will of course prevent the
> file from being written. However, the TSM client interprets this as an disk
> error (or something) and terminates the restore processes so any subsequent
> non-infected files are not restored, making it almost impossible to do
> un-monitored restores of these data sets.
>
> Would really appreciate it if anyone got some ideas to circumvent this
> (except for disabling the AV application while restoring)?
>
> Regards
>
> Bent
>
>
> COWI handles personal data as stated in our Privacy Notice<
> https://www.cowi.com/privacy>.
>

Re: Restoring virus infected file halts TSM client

[Andrew Raibeck]

Hello Brent,

Without knowing the specific details of the errors you see, one thing you can 
try is to add this line to the dsm.opt file:

TESTFLAGS CONTINUERESTORE

Restart the client, and see if that causes the operation to continue with the 
next file after an error is reported.

If that does not work, then what error message(s) do you see? What messages, 
coincident with the failed restore, are logged to dsmerror.log? Be sure to 
include the full text, though you can redact user names and file names, as 
appropriate.

Based on that, I might have some other ideas, or else I will suggest opening a 
case with IBM Support.

Unsolicited thought that might be redundant, but I mention it anyway :-) please 
use appropriate care when restoring the files, even if the AV software is 
guarding against suspicious files.

Regards,

Andy

Andrew Raibeck
IBM Spectrum Protect Level 3
IBM Storage
stor...@us.ibm.com

IBM

-Original Message-
From: ADSM: Dist Stor Manager  On Behalf Of Bent 
Christensen (BVC)
Sent: Thursday, 19 January, 2023 06:02
To: ADSM-L@VM.MARIST.EDU
Subject: [EXTERNAL] Restoring virus infected file halts TSM client

Hello,

Just wondered if anyone have had the same issue and maybe found a solution for 
it:

Now and then we are tasked with restoring data that were backed up very long 
ago back to Windows file shares. In a few cases it turns out that some of these 
old files are infected by virus/malware which was not detected by the AV 
application at the time when the malicious file was written.

When the TSM client tries to restore an infected file back to a Windows server, 
the AV application on the Windows server will of course prevent the file from 
being written. However, the TSM client interprets this as an disk error (or 
something) and terminates the restore processes so any subsequent non-infected 
files are not restored, making it almost impossible to do un-monitored restores 
of these data sets.

Would really appreciate it if anyone got some ideas to circumvent this (except 
for disabling the AV application while restoring)?

Regards

Bent


COWI handles personal data as stated in our Privacy 
Notice<https://www.cowi.com/privacy >.

Restoring virus infected file halts TSM client

[Bent Christensen (BVC)]

Hello,

Just wondered if anyone have had the same issue and maybe found a solution for 
it:

Now and then we are tasked with restoring data that were backed up very long 
ago back to Windows file shares. In a few cases it turns out that some of these 
old files are infected by virus/malware which was not detected by the AV 
application at the time when the malicious file was written.

When the TSM client tries to restore an infected file back to a Windows server, 
the AV application on the Windows server will of course prevent the file from 
being written. However, the TSM client interprets this as an disk error (or 
something) and terminates the restore processes so any subsequent non-infected 
files are not restored, making it almost impossible to do un-monitored restores 
of these data sets.

Would really appreciate it if anyone got some ideas to circumvent this (except 
for disabling the AV application while restoring)?

Regards

Bent


COWI handles personal data as stated in our Privacy 
Notice.