Virtual Appliances do not support restoring from a VMware snapshot taken from a running virtual machine

book

Article ID: 162090

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform Web Gateway Messaging Gateway

Issue/Introduction

You restore the host Virtual Machine (VM) to a previous state using a snapshot within VMWare ESX or ESXi. After doing so, a number of events that were previously in the database of the product are no longer present.
 

No error message.

The Symantec appliance you are using is one of the following:

  • Symantec Endpoint Detection and Response (EDR) 4.x
  • Symantec Messaging Gateway (SMG)
  • Symantec Web Gateway (SWG)

Cause

Virtual installations for Symantec Messaging Gateway, Symantec Web Gateway, and Symantec Advanced Threat Protection do not support restoring from a VMware snapshot taken of a running virtual machine. SMG, SWG, and ATP virtual machines must be powered off prior to taking a snapshot to ensure that all messages and transactions in progress are closed appropriately prior to the snapshot.

Resolution

Do not capture snapshots of the state of a running virtual appliance, nor attempt to revert to a previous state using a VM snapshot taken of a running appliance. Doing so can interrupt communications and potentially lose or duplicate transactions and event data.

Taking a snapshot of an active system has a high risk of losing event data and whatever traffic these virtual appliances were processing. If data loss occurs under these conditions, ability to restore data would vary with each individual virtual appliance type and version. For this reason, if a snapshot must be taken as part of internal IT policy, the virtual machine must be powered down prior to taking the snapshot.

 

Additional Information

  • Symantec EDR was formerly named Symantec Advanced Threat Protection (ATP) in its 3.x and earlier versions.
  • In addition to the symptoms shown above, EDR appliances corrupted by VM snapshots have also exhibited the following symptoms, depending on where the corruption occurred:
    • Linux boot sequence fails to complete, generating kernel dump
    • EDR UI displays the message "EDR is currently unavailable" for longer than 24 hours and does not proceed on to the login page.
    • EDR appears to be normal, then upon attempt to upgrade the software version, one of the symptoms above occurs.