One of my customer’s computers got a rootkit infection last week. Rather than reinstalling windows, I replaced the entire computer. I decided to put duplicati to the test and restore the user’s data from duplicati instead of copying their data from the infected computer. The restore completed without errors or warnings. A few days later, the user pointed out some missing folders, so I plugged their infected computer in (without network) and confirmed that there are a some files/folders on it that duplicati isn’t showing in the restore tree. I can confirm via “shadow copy / restore previous versions” that the folders in question had been there for at least a week, and they aren’t flagged system or hidden, and duplicati backs up daily, and the folders were in the DOCUMENTS folder, which duplicati was supposed to be backing up, and the ntfs permissions allow SYSTEM to read/write them. I see some warnings in the backup report about SOME of the files/folders in question, but nowhere close to all of them. I don’t understand why duplicati was skipping these files/folders, but I’d REALLY like to get to the bottom of it because now I’m concerned about my other customer computers.
The customer’s new computer is now backing up the same files/folders successfully.
I haven’t touched the backblaze folder since I replaced the infected computer, nor have I modified anything on the infected computer, so we should be able to reproduce this problem and get to the bottom of it. This customer’s data contains sensitive payroll information so I can’t share the backblaze data directly with anybody but i’d be happy to gather any additional non-sensitive info needed.
Infected computer was:
Windows 7 pro 32bit
Running as service (user=local system account)
backup 14.91GB / 114 Versions
The customer has an extremely reliable 500mb/s symmetrical fiber internet connection.
“C:\Program Files\Duplicati 2\Duplicati.CommandLine.exe” backup “b2://…/Kim?auth-username=…&auth-password=…” “C:\EACH\” “C:\Users\” “C:\Transfer\” --snapshot-policy=Auto --send-http-url=http://… --send-http-any-operation=true --send-http-message-parameter-name=message --send-http-level=all --send-http-message=“Duplicati %OPERATIONNAME% report for %backup-name% %PARSEDRESULT% %RESULT%” --backup-name=“Kim to Backblaze” --dbpath=“C:\Program Files\Duplicati 2\data\YZJGXCNJEE.sqlite” --encryption-module=aes --compression-module=zip --dblock-size=50mb --passphrase="…" --retention-policy=“2Y:1W,3M:1D” --exclude-files-attributes=“temporary,system,hidden” --disable-module=console-password-input
Here’s screenshots comparing c:\users\kim\documents\kim\ to dulicati’s restore tree:
(Duplicati skipped 15 of the 35 files)
Some other files/folders that duplicati was ignoring are:
which has a single folder, “kim”, which has 12 XLS files, and 14 folders that have a total of 1,934 files and 167 folders.
which has a single XLS file.
The last backup report in duplicati:
Rather than clutter this post, i’m going to make it available to download from:
(my next post might be why my http reporting server didn’t get the warnings/errors that the local report shows)