Solved

Archiving with Symantec EndPoint Protection 14 Installed


Badge +8

Hi All,

I have somewhat discussed this topic in the below post that has not clearly answered / resolved my issue.

https://community.commvault.com/technical-q-a-2/stubb-recall-not-working-183

 

When disabling SEP completely the recalls work successfully.

By configuring and adding all process and folders to the AV exclusion list does not resolve the problem.

 

The only method that allows for stub recalls to work successfully is by configuring the AV On-Access scanner to not scan for Read operations in the folder where the stub is located.

 

Can someone please assist in clarifying exactly what processes are involved with the recall of files? I can see cvd.exe, cvods.exe and clmgrs.exe popping up from a Commvault point of view. Could there be any native Windows process involved in this process that might have a read operation during the recall process? Maybe the the filter drivers that need to be added to the exclusions as well? I have added several processes to the cvmhsm registry key as ExcludedProcessX.

Should the driver process also be configured as exclusions within AV or is the addition of them in the registry fine?

 

Appreciated.

Thanks.

 

icon

Best answer by Evan@Commvault 7 May 2021, 14:45

View original

4 replies

Badge +8

Hi Iggy,

 

I would suggest checking the below link as it’s a more general list of suggested exclusions (This would be In addition to the SEP specific page you already have)

https://documentation.commvault.com/commvault/v11_sp20/article?p=8665.htm

As far as processes, ClMgrS manages the filter driver and recall process, therefore it being excluded usually prevents most interference. That being said you should exclude the entire Commvault install directory as described in the above link.

And sure, any configuration in SEP that you believe will lessen its handling of the recall process should be fine.

As far as processes in the kernel, we do leverage SMB and reads, however this is after our filter driver detects the read which ClMgrS is monitoring.

Is there a way in SEP to see a more granular report of specifically what it is blocking?

Please review the above and let me know.

-Evan

 


Hi @Evan@Commvault ,

As mentioned all provided processes and folders were excluded.

Do you have the process names for the SMB and read operations?

On a failed system the ClMgrs.log stops at the below event:

3964  440   05/07 14:23:16 ##### DMRBufferHandlerWinFSDM::OnBufferPlFsHdr(3668) - Received PL_FS_HDR for fileName:C:\xxxxxxx.pdf

 

On a working system (AV disabled) there are one additional entry in the log before the recall is successful.

3964  440   05/07 14:23:16 ##### DMRBufferHandlerWinFSDM::OnBufferPlFsHdr(3668) - Received PL_FS_HDR for fileName:C:\xxxxxxx.pdf
3964  440   05/07 14:23:16 ##### CFSDMDriverRecallResponder::NotifyDriver(391) - Informing driver about recall status for Seq No : 1, File Name : [ C:\xxxx.pdf ] Recall status [ 0 ]
3964  3e4   05/07 14:23:16 ##### CFSDMAPIRecallResponder::Respond(78) - Recall request succeeded for file [C:\xxxxx.pdf]

 

This made me believe that there is something blocking the filter driver from starting.

 

Thanks.

Ignes

 

Badge +8

Did you select the Skip Offline Files option in Scan Options? from the documentation: Symantec® Endpoint Security v12xAV Settings for Windows File Archiver (commvault.com)


Can you check the altitudes of the minifilter drivers? - Use “fltmc” from an Admin CMD window.

In terms of Commvault processes to exclude from AV Scan, Try the following:

  • GXHSMStub.exe
  • GXHSMService.ex (Ensure that the extension is ‘.EX’)
  • ClMgrS.exe
  • CVD.exe
  • CLRestore.exe
  • CLBackup.exe
  • Ifind.exe

If that doesnt help, maybe run a ProcMon capture and recall a file and see what events come up in the output.

 

Best Regards,

Michael


Hi Michael,

How should the minifilter drivers be treated if any is above the cvmhsm driver?

Then I see that the list of processes that you mention is under the McAfee and Windows Defender sections and not SEP. I will request the additional ones to be added. Where is the GXHSMService.ex process contained? I searched the server but could not find it.

 

I will run a ProcMon to confirm if any additional processes appear.

 

Regards,

Ignes

 

Userlevel 1
Badge

Hi Iggy,

 

I would suggest checking the below link as it’s a more general list of suggested exclusions (This would be In addition to the SEP specific page you already have)

https://documentation.commvault.com/commvault/v11_sp20/article?p=8665.htm

As far as processes, ClMgrS manages the filter driver and recall process, therefore it being excluded usually prevents most interference. That being said you should exclude the entire Commvault install directory as described in the above link.

And sure, any configuration in SEP that you believe will lessen its handling of the recall process should be fine.

As far as processes in the kernel, we do leverage SMB and reads, however this is after our filter driver detects the read which ClMgrS is monitoring.

Is there a way in SEP to see a more granular report of specifically what it is blocking?

Please review the above and let me know.

-Evan

 

Userlevel 6
Badge +14

Did you select the Skip Offline Files option in Scan Options? from the documentation: Symantec® Endpoint Security v12xAV Settings for Windows File Archiver (commvault.com)


Can you check the altitudes of the minifilter drivers? - Use “fltmc” from an Admin CMD window.

In terms of Commvault processes to exclude from AV Scan, Try the following:

  • GXHSMStub.exe
  • GXHSMService.ex (Ensure that the extension is ‘.EX’)
  • ClMgrS.exe
  • CVD.exe
  • CLRestore.exe
  • CLBackup.exe
  • Ifind.exe

If that doesnt help, maybe run a ProcMon capture and recall a file and see what events come up in the output.

 

Best Regards,

Michael

Reply