Windows 10: Windows Defender Whitelist and Volume Shadow Copy

In order to troubleshoot a network issue I downloaded netcat ncat.exe.


Windows Defender classifies this as a "hack tool" and attempts to quarantine it. It is not malware, it is a network debugging tool.


I was able to whitelist the executable. However, it now appears in several Volume Shadow copies, so when my nightly backup runs, Windows Defender complains that it found a threat.


Remediation Incomplete


Detected: HackTool:Win32/NetCat!MSR

Status: Failed

This threat or app might not be completely remediated.


Affected items:

file: \Device\HarddiskVolumeShadowCopy52\Users\jim\AppData\Local\Microsoft\WindowsApps\ncat.exe


There is no way to whitelist a file that's contained in a VSC, and anyway the number in the path 52 above is different every time.


Is there a way to whitelist NetCat by its signature instead of its full path, so it will be whitelisted regardless of where it appears?

:)

 

Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.

Hi,

Thank you for getting back with a reply.

I suggest you to start the Volume shadow copy service and check. Follow these steps:

a. Click Start and type services.msc in the search box.

b. Search for the Volume shadow copy service and make sure the start- up type is automatic.

i. Right click on the service

ii. If the service is stopped, then Start the service

iii. Select Properties

iv. And in the Start-up type select Automatic.

c. Click Ok.

Keep us posted on Windows related queries and we will be happy to assist you further.

 

Exclude backups (Volume Shadow Copy) from Windows Defender

I'm not sure that excluding a volume shadow copy is actually what you need to do. I thought I was in the same boat as you... Windows Backup and Restore was reporting failed backups due to malware. The only references I could find in Windows Defender was to a path similar to Device\HarddiskVolumeShadowCopy5\Download\something.crx, and searching similar paths on my actual drives wasn't turning anything up.

My first clue was when I tried to redo the backup manually, I noticed the first step was "Create Shadow Volume." This made me think that Defender must not be so stupid after all, and perhaps it was catching something being copied from a source drive. After futher investigation, turns out some symbolic links (folder aliases) I had created was confusing the issue and I finally did turn up the reported file (downloaded over 5 years ago!) that it was complaining about. Now why full scans from Defender doesn't find it, but real time access during backup does, is a separate issue.

Likely you aren't as inept as me with locating the reported malware file(s), but maybe you do have a tenacious bad guy that is either having trouble being cleaned up, yet hiding itself well, or that keeps re-infecting the system from another vector.

 

Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.

I am getting a bunch of errors in the application log related to the Volume Copy Service. I first noticed it when I tried to create a recovery drive and the error simply said that "A problem occurred while creating the recovery drive"

I examined the application log and noticed that this error occurs periodically, not only when I try to create the drive. I included the four errors below.

What do I need to do to fix this?

I am using a Surface pro 4, windows 10 with up to the minute patches. I also have installed carbonite but I doubt this is the cause as I did not encounter this problem on previous PCs

Thanks in advance for any assistance

Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered. This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider. The error returned from CoCreateInstance
on class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} and Name SW_PROV is [0x80040154, Class not registered

].

Operation:

Obtain a callable interface for this provider

List interfaces for all providers supporting this context

Check If Volume Is Supported by Provider

Add a Volume to a Shadow Copy Set
Context:

Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}

Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}

Snapshot Context: 4194304

Snapshot Context: 4194304

Execution Context: Coordinator

Provider ID: {00000000-0000-0000-0000-000000000000}

Volume Name: \\?\Volume{acda900a-c1f6-4b66-831d-a54d0f93e6db}\

Execution Context: Coordinator

Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} [0x80040154, Class not registered

].
Operation:

Obtain a callable interface for this provider

List interfaces for all providers supporting this context

Check If Volume Is Supported by Provider

Add a Volume to a Shadow Copy Set

Context:

Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}

Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}

Snapshot Context: 4194304

Snapshot Context: 4194304

Execution Context: Coordinator

Provider ID: {00000000-0000-0000-0000-000000000000}

Volume Name: \\?\Volume{acda900a-c1f6-4b66-831d-a54d0f93e6db}\

Execution Context: Coordinator

Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered. This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider. The error returned from
CoCreateInstance on class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} and Name SW_PROV is [0x80040154, Class not registered

].
Operation:

Obtain a callable interface for this provider

Add a Volume to a Shadow Copy Set

Context:

Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}

Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}

Snapshot Context: 4194304

Execution Context: Coordinator

Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} [0x80040154, Class not registered

].
Operation:

Obtain a callable interface for this provider

Add a Volume to a Shadow Copy Set
Context:

Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}

Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}

Snapshot Context: 4194304

Execution Context: Coordinator