none
Translate replica volume guids to server name RRS feed

  • Question

  • We just recently implemented both Microsoft EndPoint Protection and also DPM 2012 R2.

    I am seeing below in the EndPoint security logs.  The DPM server backups a couple dozen file servers.  Where can I find a refererence between the GUIDs in the path name and the file server that was being backed up?

    Thanks in advance,
    Claud

    Computer name: DPM2012.xxx.yyy
    Domain: XXX
    Detection time(UTC time): 8/20/2014 12:43:54 AM
    Malware file path: file:_D:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\Volumes\Replica\File System\vol_63dd1a6f-4aae-476b-84b8-2ac0f788e7f2\acca9ca7-02ad-401e-9881-dbec023173ec\Full\Public\Cap\Word\Compliance\Pringle\LOOK.EXE
    Remediation action: Quarantine
    Action status: Succeeded


    Computer name: DPM2012.xxx.yyy
    Domain: XXX
    Detection time(UTC time): 8/20/2014 12:43:51 AM
    Malware file path: file:_D:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\Volumes\Replica\File System\vol_63dd1a6f-4aae-476b-84b8-2ac0f788e7f2\acca9ca7-02ad-401e-9881-dbec023173ec\Full\Public\Cap\Word\Compliance\PRINGLE0601\LOOK.EXE
    Remediation action: Quarantine
    Action status: Succeeded

    Wednesday, August 20, 2014 7:40 PM

Answers

  • Hi,

    You can run this SQL query to show the protected server and volume that has the offending files so they can be clean up as well.

    Open SQL management Studio and connect to the SQL Server instance hosting the DPMDB.  Under databases, select the DPMDB - then click on the New Query button. paste in the below query and execute it. The MounPointPath will match a portion of the security log.

    select ag.NetbiosName, ds.DataSourceName, vol.MountPointPath 
    from tbl_IM_DataSource as ds
    join tbl_PRM_LogicalReplica as lr
    on ds.DataSourceId=lr.DataSourceId
    join tbl_AM_Server as ag
    on ds.ServerId=ag.ServerId
    join tbl_SPM_Volume as vol
    on lr.PhysicalReplicaId=vol.VolumeSetID
    and vol.Usage in (1)
    and lr.Validity in (1,2) 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.


    Wednesday, August 20, 2014 11:40 PM
    Moderator

All replies

  • Hi,

    You can run this SQL query to show the protected server and volume that has the offending files so they can be clean up as well.

    Open SQL management Studio and connect to the SQL Server instance hosting the DPMDB.  Under databases, select the DPMDB - then click on the New Query button. paste in the below query and execute it. The MounPointPath will match a portion of the security log.

    select ag.NetbiosName, ds.DataSourceName, vol.MountPointPath 
    from tbl_IM_DataSource as ds
    join tbl_PRM_LogicalReplica as lr
    on ds.DataSourceId=lr.DataSourceId
    join tbl_AM_Server as ag
    on ds.ServerId=ag.ServerId
    join tbl_SPM_Volume as vol
    on lr.PhysicalReplicaId=vol.VolumeSetID
    and vol.Usage in (1)
    and lr.Validity in (1,2) 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights.


    Wednesday, August 20, 2014 11:40 PM
    Moderator
  • Worked perfect.  Thank you very much.

    As a side note, we are running McAfee VirusScan on the bad server.  I'll be asking our McAfee administrator why McAfee didn't catch it but EndPoint did.

    Thanks again,

    Claud

    Thursday, August 21, 2014 12:27 PM