Background:
--------------

I have Norton SystemWorks 2006 Premier (Ghost 10 & NAV) on XP Home SP2 system that shares out several folders where I make backups from other XP systems with Ghost 10 on them, on my LAN which is protected by a router.  All systems connected to it have always had up-to-date antivirus and firewall protection.  Knock wood, I've never had a virus infection, though I've had plenty detected in emails over the years.  Automated Ghost backups have been working great for a couple of years.

Just bought a brand new laptop (HP dv2500t) with Vista Home Premium.  Initial setup was very smooth, and I made its one-time factory restore disk on a single Dual-Layer DVD.  Very nice.  Then went through Windows Update and Live Update (for it's pre-installed Norton Internet Security), getting everything up-to-date.  After much puzzlement over Ghost 12.0 versus Symantec Backup Exec System Recovery Desktop Edition (they sound like the same thing, with a couple of extra bells and whistles on the latter), I downloaded Ghost 12.0 from the Symantec web site.  First burned the recovery disk .iso to a CD and verified it would boot and could see the network.  The latter was something of a pain, as unlike the Ghost 10 recovery CD, the other machines on the network did not show up in its network browser.  I typed a network share manually, but did not have privilege to access it.  So I did the access as a different user, but found that it would not accept a user account without a password: you have to type at least one character in the password box to enable the OK button.  I was able to work around this by opening a command window and entering a net use command, and verified it could see the files on the share okay.  So I figured there was a good chance I'd be able to use Ghost 12.0 on the new Vista system as effectively as Ghost 10 on the various XP systems, and went ahead and installed Ghost 12.0, ran LiveUpdate, and tried doing both a "My Documents" backup and a full system backup (a My Computer Backup produced by the easy wizard thingy).

The My Documents backup reported success.  I haven't yet checked whether it's useful for recovering files, because the below problem with the full backup was much more important.

The Problem:
---------------
The full backup failed.  Watching Progress and Performance, it looked like it would get stuck after 5% or sometimes 6% for 5 minutes or so, then fail with "Error E7D1001F: Unable to write to file. Error EBAB03F1: The specified network name is no longer available."  I tried everything I could think of with network credentials, no luck.  Then I saw I was getting Delayed Write Failed's in the Windows event log.  So I jacked up Session Manager\Memory Management\SystemPages, which had fixed this problem on an XP system some time back. No luck.

Then I was looking at the screen during one of my failed attempts and noticed a popup saying Norton Internet Security had blocked an intrusion attempt.  Went through the logs and found a "Nebiwo Worm Propagation (1)" attack.  And the attack was coming from the brand new freshly-installed Vista machine itself!  I ran full NAV scans of both machines after a LiveUpdate and they were clean. Tried a few more backups, and verified that I got the attack popup only during a backup.  So I went into NIS on the Vista machine and excluded that particular attack from its list of signatures.  Tried again, and this time the server where I was writing the backup reported the same attack signature (via its SystemWorks 2006 Premier NAV protection)!  So I excluded that signature on the server.  But still no luck.  Now the Vista machine started reporting "MS ASN1 Integer Overflow TCP" attack.  So I excluded that one - next time it reported "Nebiwo Worm Propagation (2)", and so on through "Nebiwo Worm Propagation (3)" and "Deloder Worm Infection".  Finally, I disabled worm detection on both the Vista machine and on the XP server machine, and voila, the backup succeeded.  And re-running virus scans found nothing.  And after the backup finished I was able to mount it as a recovery point on the Vista machine (the XP machine won't mount it, says it has an invalid image size, because it's running Ghost 10, not 12).

Anybody got any ideas on this one, including the best way to report it to Symantec?  It seems particularly ironic that if you go to: http://www.symantec.com/avcenter/attack_sigs/s20022.html the bottom of the page says:
 "Possible False Positives
  There are no known false positives associated with this signature."
No false positives except those produced by Ghost 12.0!

I sure don't want to run all the time with worm detection disabled.  But having to disable it in order to make a backup kind of defeats the utility of automatic scheduled backups...

I haven't seen this problem reported previously - but it seems unlikely that I'm the only one using Ghost 12.0 on Vista that also has Norton Internet Security and makes backups over the network - so I wonder what's different about my configuration to cause this...

Thanks for the quick, but depressing,  reply, Ghost4me.

Yes, this is a small workgroup (whose name is not WORKGROUP) consisting of one desktop machine with the backup storage disks in external Firewire-800 enclosures (3 dual-disk enclosures, two with a pair of 300GB drives and one with a pair of 400 GB), and 2 to 4 laptops each with 160GB hard drives.

Although it's possible to buy more disks and enclosures and separately connect each laptop to its own external disk, it would cost more like $300 per laptop, and the end result would be much less convenient/flexible.   And the really galling thing is that this exact setup has been working flawlessly for a couple of years with Ghost 10 on XP SP2 (some Home and some Pro) machines.  The problem stems entirely from adding a Vista laptop client with Ghost 12.0.  The fact that disabling worm blocking on the Vista laptop caused the server with SystemWorks 2006 to report the same attack signature as the laptop did before I disabled it suggests to me that the problem is in Ghost 12.0, as years of backups from clients using Ghost 10 never encountered such a problem.

With both Vista and Ghost 12.0 so new, I'd hope that Symantec would look into this problem.  I'm trying their email support, with a sketch of this problem and a pointer to this posting for details.  Of course the email support form doesn't list Ghost as a product (!), so I've entered the bug against Norton Internet Security 2007.  I'll let you know what I get for a response.

John. wrote on Sep 24^th, 2007 at 6:05pm:


Yes, the server has SW 2006 Premier.  But note that it was the new Vista laptop (with NIS 2007) that first reported the intrusion attempt (against itself!).  It was when I excluded that first signature from NIS 2007 on the client, that the NAV from SW 2006 on the server reported it.  So if NIS 2008 is the answer, I'd need to install it on both the new laptop and on the server.  If it solves the problem without having to disable worm protection, it would be worth paying something for upgrades.  Athough I think Symantec *really* ought to fix it at the very least in NIS 2007 via LiveUpdate.  IMHO SW 2006 deserves a LiveUpdate, too, since the problem is a false positive triggered by a new Norton product, and Symantec claims there are no known false positives for these worm signatures.

Another option you can consider at some point is some other Internet Security software instead of Symantec's.  ZoneAlarm Internet Security Suite is one and there are others.

I contacted Symantec on-line tech support today.  They told me to exclude the signatures for the Nebiwo worm in Internet Security on the Vista PC.  Reluctantly, I did that but it solved the problem.  Backup to XP server now works without disabling intrusion prevention on either machine.  Symantec assured me that other features in Internet Secuity, such as Auto Protect, would provide protection.

Also, if you use SimpleTech SimpleShare NAS for backup, make sure you have the latest level of firmware.  Ghost 12 backups failed until I upgraded firmware.

I disabled all three Nebiwo variants and it actually worked - - ONCE!  The first scheduled backup failed when Norton blocked what it perceived as an attack.  Norton reported that the Vista PC attempting to backup was attacking my NAS storage (backup destination) as the Deloder worm.  Ghost 12 then failed.  Oh well, I'll contact Symantec again.

Thanks for the heads up on the recovery.  I haven't tested that but will.  I'll post results of test and contact with Symantec.