Video Screencast Help

Symantec definition files causing large incremental images with ShadowProtect

Created: 01 Sep 2011 • Updated: 15 Sep 2011 | 6 comments

Hi all,

I have a small client who is running Symantec Antivirus Corporate Edition and Symantec Mail Security for Microsoft Exchange 6.5.  They are backing up the server using StorageCraft ShadowProtect and replicating the incremental backups offsite.  The problem that I am having is that when Symantec updates it's definition files, the incremental backup that takes place afterwards is approximately 1.5 to 2.5GB in size.  This killing the replication.

I spoke with StorageCraft support and verified that there is nothing that can be done about it on their side.  They say that it is due to the way Symantec updates it's files and the fact that ShadowProtect backs up all sector changes.  (See JWT's post from 6/21/2010 for more information on this.)  Their recommendation is that I move the defintion storage locations to another partition or drive but after doing some research here, it appears that this is not a possibility because these locations are basically hardcoded into Symantec's products.

All of this pretty much means that I would have to either install a standalone antivirus server and switch to another mail filtering solution or stop replicating backups offsite. 

Right now, it looks like I can work around this issue by manually deleting all virus definition files and installing the latest set.  This clears up several gigabytes in space and the incremental backups are normal in size for a few weeks before they start causing issues again.  I have read a little about the symdeltemp utility but I'm not very clear on it.  Does anyone know if it would be possible use the Windows task scheduler to automatically run symdeltemp and clear out the definition files every couple of weeks?  I suppose that I could try to script something myself but I would much rather use a Symantec utility for this.

Let me know if anyone has any experience or suggests with this issue.  Thanks!

*I have verified that this issue occurs with other clients who are running StorageCraft and EndPoint instead of Corporate Edition.  I don't believe that, even though it needs to be done, upgrading this client to EndPoint will help the issue.

Comments 6 CommentsJump to latest comment

cncsupport's picture


We have Storagecraft at several sites and some FTP off-site too. They all have SEP v11.0 in it's various flavours and RU releases and the incremental issue still exists and is a pain to those taht do not have the bandwidth to upload offsite, locally is fine of course!

We are checking with v12.1 currently, however, not convinced it will make any difference.

have you managed to get around this issue at all?


Dave1's picture

I am about to deploy SP to multiple clients all utilising Endpoint protection, in some places it is not practical to move the local client installation to an alternate volume.

How is this problem going? Each of these sites I must deploy to will have to replicate their differential images off site across links of various sizes and this will quickly become an issue if the definitions are causing lots of erroneous change with full replacements of the files being saved rather than using an append operation!

What can I do other than saving the client installations to alternate volumes? Has symantec produced an answer?

mlynds's picture

Hi, are there any Symantec engineers that can shed some light on this.  We too have many clients we just deployed Storage Craft Shadow Protect and the offsite replication is taking way too long because of this Endpoint issue with the new Liveupdate definitions causing large incremental backups.

We are currently using SEP V12.1.

peter ashley's picture

Can you create "exceptions" for temp folders and definitions so that they don't get backed up?

Can you ask the vendor for a compression and data deduplication features which seems to be standard on many enterprise class backup products?

Not all of the definition bits are changed from update to update, so data deduplication and compression could operate very effectively.

mlynds's picture

Hi, I will contact the vendor to find out if there is a way to exclude folders from the image.  What is the drive path for the physical updates?  Would excluding the entire "Symantec" folder under program files do the trick?