Cove: System State backup sporadically fails with "VSS error 0x800423f2: The writer's timeout expired between the Freeze and Thaw events". Sophos Antivirus

Last Modified

Thu Dec 31 13:33 GMT 2020

Description

  • System State backup sporadically fails with "VSS error 0x800423f2: The writer's timeout expired between the Freeze and Thaw events"

Environment

  • Cove Data Protection (Cove)
  • Sophos antivirus

Solution

  • Possible cause is that an antivirus prevents the Volume Shadow Copy Service (VSS) from functioning correctly.
  • Steps from Sophos community:

    Note: The interval below is a value which has been confirmed to fix most instances. If this interval does not fix the issue, we suggest increasing the interval by 30 seconds at a time and retesting.

    1. Turn off Tamper protection
    2. Press the Windows Key + R, type regedit and press Enter.
    3. Access the following key:
      32-bit:
      HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Health\
      64-bit:
      HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\
    4. Create a DWORD value called PollingIntervalSeconds and set the data to 120
    5. Press the Windows Key + R, type services.msc and press Enter.
    6. Restart the Sophos Health Service
    7. Enable Tamper protection
  • To ensure the antivirus is the reason, perform the following steps:
    1. Use the following shell command to create test VSS snapshots:
      for /l %i in (1,1,50) do (vshadow.exe -wi="System Writer" C: >> C:\localVSS.txt)

      shadow utility is not there by default, it has to be downloaded from the Microsoft site. It is important to use the proper version of the vshadow utility, otherwise you will get an unclear error that might confuse you. For server 2012 and above, use the diskshadow utility.

    2. Perform 50 snapshot creation attempts with the antivirus enabled redirecting output to a text file
    3. Perform 50 snapshot creation attempts with the antivirus disabled redirecting output to a separate text file.

      Note: Just disabling it in the GUI or adding exclusions will not work. You should stop the Sophos Health Service for this step.

    4. Compare the results using the text files generated. There must be 100% success rate with the antivirus disabled and about 30-50% with antivirus enabled. If such pattern is confirmed, refer to the support of the antivirus solution.
  • Create pre-backup in Windows Task Scheduler and post-backup script for SystemState backup in the Backup Manager:
    1. pre-backup in Windows Task Scheduler:

      net stop "Sophos Web Intelligence Service"
      net stop "Sophos Web Filter"
      net stop "Sophos Web Control Service"
      net stop "Sophos System Protection Service"
      net stop "Sophos Network Threat Protection"
      net stop "Sophos MCS Client"
      net stop "Sophos MCS Agent"
      net stop "Sophos Heartbeat"
      net stop "Sophos Health Service"
      net stop "Sophos Device Control Service"
      net stop "Sophos Clean Service"
      net stop "Sophos AutoUpdate Service"
      net stop "Sophos Anti-Virus status reporter"
      net stop "Sophos Anti-Virus"
      net stop "Sophos Data Recorder"

    2. post-backup in the Backup Manager:

      net start "Sophos Web Intelligence Service"
      net start "Sophos Web Filter"
      net start "Sophos System Protection Service"
      net start "Sophos Network Threat Protection"
      net start "Sophos MCS Client"
      net start "Sophos MCS Agent"
      net start "Sophos Heartbeat"
      net start "Sophos Health Service"
      net start "Sophos Device Control Service"
      net start "Sophos Clean Service"
      net start "Sophos Data Recorder"