Antivirus software may interfere with a backup

This documentation is for an older version of CCC. You can find the latest version here.
Last updated on 16 de diciembre de 2019

Some antivirus applications may prevent Carbon Copy Cloner from reading certain files, mounting or unmounting disk image files, or, in general, degrade the performance of your backup. In some cases, antivirus applications can even affect the modification date of files that CCC has copied, which will cause CCC to recopy those files every time as if they have substantively changed. In another case, we have seen such software create massive cache files on the startup disk during a backup, so much so that the startup disk became full. We recommend that you temporarily disable security software installed on your Mac (e.g. for the duration of your backup task) if problems such as these arise.

If CCC reports that antivirus software may be interfering with your backup task, here are some troubleshooting steps that you can take to resolve the problem:

  1. Determine whether the files in question are being quarantined by your antivirus software. Perform a system scan with your antivirus software and address any issues that are reported. Please refer to the Help documentation associated with your antivirus product for more information.
  2. If the problem persists, try running your backup task with the antivirus software temporarily disabled.

If the antivirus software's behavior cannot be resolved, you may be able to workaround the problem with an advanced setting. Select your task in CCC's main application window, then:

  1. Click the Advanced Settings button.
  2. Check the Don't update newer files on the destination option in the Troubleshooting box
  3. Save and run your task.

If these steps do not address the issue, or if you do not have antivirus software installed, please open a support request and we'll do our best to help you resolve the problem.

"Real time" protection scanning and Digital Loss Prevention applications have significant performance ramifications

We regularly receive reports that the backup task is running too slow, only to find that some "real time" protection application is directly causing the problem by taking too long to either scan content that CCC is writing, or by taking too long to permit the filesystem requests that CCC makes to the source or destination. While these applications do provide a valuable service to protect your Mac from malware, they're doing a disservice if they're interfering with backups.

The following applications are frequently implicated in these scenarios:

  • Symantec DLP (com.symantec.dlp.fsd)
  • Avira (avguard-scanner)
  • Sophos File Protection (OnAccessKext)

Problem reports related to antivirus software

  • Sync problems and ACL issues
  • Subsequent backups are slow
  • Source Disk becomes full when cloning
  • System hangs during scheduled backup task (Sophos)
  • Problem with CCC and F-Secure 2011 virus scanner
  • McAfee changes modification date of files on the destination
  • Backup task is slower than it should be (VirusBarrier)
  • Slow performance during backup (F-Secure)
  • Symantec Internet Security may cause kernel panics during a backup task
  • BitDefender may generate excessive read activity on the destination volume during a backup task, and may cause the destination device to spontaneously eject. Add the destination volume to BitDefender's exclusion list to avoid the problem.
  • We have received a report that agreeing to Webroot SecureAnywhere's request to "remove threats" during a backup task can produce a non-bootable backup.
  • Little Flocker (now Xfence) can interfere with some of the subtasks required (e.g. creating a kernel extension cache, blessing the destination) to make a cloned system volume bootable.
  • We have received and confirmed a report in which Sophos CryptoGuard can have a debilitating effect on system performance while running a backup task.
  • We have received several reports that McAfee's FileCore and Symantec's Data Loss Prevention software can cause the backup task to hang or to take a very, very long time. The applicable daemon processes may also consume an exceptional amount of CPU during a backup task leading to debilitating system performance for the duration of the task.
  • We have received a report that ESET Endpoint Security can cause the backup task to hang or to take a very, very long time.
  • We have received a report that Bit9 Carbon Black can cause the backup task to hang or to take a very, very long time.
  • We have received a report that TrendMicro's "filehook" service can cause the backup task to hang or to take a very, very long time.
  • We have received a report that Cylance's "CyProtectDrvOSX" kernel extension can cause the backup task to hang or to take a very, very long time.
  • We have multiple reports in which CoSys Endpoint Protector prevents CCC from backing up a pair of video-related system files (e.g. /Library/CoreMediaIO/Plug-Ins/DAL/AppleCamera.plugin).
  • We have received reports that Avira antivirus may terminate CCC's file copier resulting in an incomplete backup. Avira "Real time protection" will also cause the backup task to take a very long time and consume an exceptional amount of CPU resources.

Antivirus Software concerns regarding the BaseSystem.dmg file

There is a file named "BaseSystem.dmg" on the Recovery volume associated with your Mac's startup disk. That disk image file contains the lightweight recovery operating system that is used when your Mac is booted in Recovery mode. At the beginning of every backup task that backs up a startup volume, CCC mounts the recovery volume and creates an archive of the data on that volume. Copying the "BaseSystem.dmg" file is part of that procedure. CCC stores an archive of the recovery volume at /Library/Application Support/com.bombich.ccc/Recovery on the startup disk so that the archive can be included in the backup of that volume.

We have received some reports of users seeing a dialog window (presented by antivirus software) reporting that "the BaseSystem.dmg disk image is being opened", perhaps with a suggestion that the disk image contains a virus or malware. This dialog appears and disappears very quickly, and some users are understandably concerned about the presence and erratic behavior of that dialog. Lacking any creditable information from the AV software, users naturally turn to the Internet, and unfortunately are greeted with terrible advice and misinformation. The BaseSystem.dmg file is not a virus. You should not attempt to delete parts of the operating system.

Users that have attempted to delete that file are prompted for admin credentials, and the deletion attempt still fails. Contrary to what AV software purveyors may claim, the prompt for admin credentials is not coming from a virus, it's coming from macOS because you're trying to delete system files. The attempt to delete system files subsequently fails thanks to macOS's System Integrity Protection. This is not an attempt to get your admin credentials, it's normal macOS system processes working to protect the operating system. The BaseSystem.dmg file is not a virus. You should not attempt to delete parts of the operating system.

If you're seeing a dialog related to the BaseSystem.dmg file and it occurs at the beginning of a CCC backup task, this is a false positive from your antivirus software. Please contact your antivirus application vendor and ask them to fix that. Making a backup of the BaseSystem.dmg file is not something that should be brought to your attention.

Related Documentation