SnaDiff generate a SnapShot containing Malware


Jun 17, 2017
Reaction score
PREDATAR Control23

Window administrator detected the malware which was contained in a snapshot during TSM SnapDiff backup and left on NetApp storage.

Was this malware originally contained in the production file, or some how generated during the TSM snapdiff backup?

If it is in the production file, how come it was detected in the snapshot not in the original file?

Thanks for your advise!
PREDATAR Control23

I think the malware was on the disk, so when tsm read the file after snapshot, it got scanned and detected.
PREDATAR Control23

The detecting software is third part one, not TSM. It was found in the snapshot initiated by TSM. So, it seems weird, why the malware was not found any where else, but only in the snpahot? and after removed the snapshot, the malware was found again in next day's snapshot.
PREDATAR Control23


What is your antivirus policy, scan upon read,readwrite, write? When tsm reads a file, it will first be read by a ativirus engine (depending upon policy).

Please add some logs from tsm and othe logs that we may have a look at.
PREDATAR Control23

What you said makes sense.

antivirus software is managed by System Admin. We don’t know how it works.The malware got caught in the SnapDiff snapshot. Now, that group asks us to contact the data owner and to delete the original file.
Shouldn’t it be their or the antivirus’ role to detect the original file containing the malware and quarantine it then TSM would not pick it up?

please advice how it should work.
Thank you!