Quarantined virus files are skipped and your backup reports a failed status on your Windows Small Business Server 2003-based computer (888035)


The information in this article applies to:

  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition

SYMPTOMS

When you back up your Microsoft Windows Small Business Server 2003-based computer, the backup program may report a failed status. Additionally, an error message that is similar to the following may be logged in the backup log file:
Backup started on Date at Time.
Warning: Unable to open "C:\Program Files\Trend\SMCF\Quarantine\Date\20\41\filename" - skipped.

Reason: Access is denied.
Although the backup program reports a failed status, all other files are backed up successfully.

CAUSE

This issue occurs if the following conditions are true:
  • You are using TREND Micro, Inc. antivirus software on your Windows Small Business Server-based computer.
  • You try to back up files that are quarantined by the TREND Micro antivirus program.
  • You are using the Windows Small Business Server backup program.
The TREND Micro antivirus program locks the quarantined files in the quarantine folder so that you cannot read, run, or write to the files before you decide what you want to do with the files. Therefore, the Windows Small Business Server backup program cannot back up the quarantined files.

RESOLUTION

To resolve this issue, follow these steps:
  1. Use the TREND Micro antivirus program to move the quarantine folder to a new location so that it is not a subfolder of the following folders:
    • Windows
    • Program Files
    • Documents and Settings
    Note We recommend that you locate the quarantine folder on a drive where volume shadow copies are disabled.
  2. Use the Windows Small Business Server Backup Configuration Wizard to exclude the quarantine folder from the backups. To do this, follow these steps:
    1. Click Start, and then click Server Management.
    2. In the left pane, click Backup.
    3. In the right pane, click Configure Backup.
    4. On the Welcome to the Windows Small Business Server Backup Configuration Wizard page, click Next.
    5. Click Change existing backup settings, and then click Next.
    6. On the Backup Location page, click Next.
    7. Click No if you are prompted to change the backup location.
    8. On the Backup Data Summary page, click Exclude Folders.
    9. In the Exclude Folders dialog box, click Add Folder.
    10. Locate and then click your quarantine folder, and then click OK two times.
    11. Click Next three times, and then click Finish.
    12. Click Close when the wizard has completed.

MORE INFORMATION

This section discusses why we recommend that you locate the quarantine folder on a drive where volume shadow copies are disabled. The TREND Micro real-time scan will report that a virus is found if the following conditions are true:
  • A quarantine folder is located on a hard disk drive where volume shadow copies are enabled.
  • A virus-infected file has been quarantined.
The scan will report that this virus is in a location that is similar to the following:

Device\HarddiskVolumeShadowCopyNumber\Program Files\Trend\SMCF\Quarantine\Date\09\24\

When you enable shadow copies on a volume, it is for the whole volume. Every file, including virus-infected files, will be included in the shadow copy volume. Shadow copies are read-only. Therefore, you cannot delete files from the shadow copies. You can delete only the whole shadow copy. You cannot exclude the shadow copy location from the TREND Micro real-time scan settings because it is not an actual file location. Therefore, we recommend that you locate the quarantine folder on a hard disk drive where volume shadow copies are disabled.

To prevent the real-time scan from reporting a virus-infected file on a shadow copy volume, you must follow these steps:
  1. Make sure that the quarantine folder is located on a hard disk drive where volume shadow copies are disabled.

    To see which hard disk drives have shadow copies disabled, follow these steps:
    1. Click Start, and then click My Computer.
    2. Right-click a hard disk drive, such as drive C, and then click Properties.
    3. Click the Shadow Copies tab.

      In the Select a volume box, the Next Run Time column will display a status of Disabled for the volumes that have shadow copies disabled.
    Note If you do not have a volume where shadow copies are disabled, you can disable shadow copies on a volume. To do this, follow these steps.

    Important When you disable shadow copies on a volume, any existing shadow copies and settings for the selected volume will be permanently deleted. You will not be able to restore from them.
    1. In the Select a volume box, click the volume that you want to disable shadow copies on, and then click Disable.
    2. Click Yes in response to the warning message.
    3. Click OK.
  2. If you disabled shadow copies for the volume that originally contained your quarantine folder in step 1, and your quarantine folder still exists on the original volume, you do not have to complete the rest of this procedure.

    If you moved your quarantine folder to a different hard disk drive, you must delete existing volume shadow copies from the hard disk drive where your quarantine folder was originally located so that a virus is not reported. Delete only the shadow copies where the TREND Micro real-time scan has reported a virus. To do this, follow these steps:

    Important When you delete an existing shadow copy, the shadow copy and settings for the selected volume are permanently deleted. You will not be able to restore from them.
    1. Click Start, and then click My Computer.
    2. Right-click a hard disk drive, and then click Properties.
    3. Click the Shadow Copies tab.
    4. In the Select a volume box, click the volume where your quarantine folder was originally located.
    5. In the Shadow copies of selected volume area, click the shadow copy that you want to delete, and then click Delete Now.
    6. Repeat the previous step for each shadow copy that you want to delete.
    7. When you are finished, click OK.
  3. If the TREND Micro real-time scan still reports that a virus is found in a volume shadow copy, you must disable and then re-enable shadow copies on the volume where your quarantine folder was originally located. To do this, follow these steps:
    1. Click Start, and then click My Computer.
    2. Right-click a hard disk drive, and then click Properties.
    3. Click the Shadow Copies tab.
    4. Click the volume where your quarantine folder was originally located, and then click Disable.
    5. Click Yes in response to the warning message.
    6. Click the volume where your quarantine folder was originally located, and then click Enable.
    7. Click Yes in response to the warning message, and then click OK.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information. For information about how to contact TREND Micro, Inc., click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:

65416 Hardware and software vendor contact information, A-K

60781 Hardware and software vendor contact information, L-P

60782 Hardware and software vendor contact information, Q-Z

REFERENCES

For more information about the Shadow Copies of Shared Folders feature, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/77A571CC-A360-468A-AD99-6C80049530DB1033.mspx

Modification Type:MajorLast Reviewed:6/21/2006
Keywords:kbtshoot kbprb KB888035 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.