Just an FYI, I use Legato Networker to do NDMP backups but have seen similar behavior with incremental/differential backups as a result of running Antivirus software against a volume.

Michael

The NDMP software uses the mtime and ctime timestamps to determine if a file should be included in an incremental dump. If either timestamp is more recent than the base dump, then the file is included in the incremental dump.

You can tell NDMP to only use the mtime and ignore ctime.

mtime is the last time file data was modified. The mtime can also be set to an arbitrary value, so it isn't 100% reliable. In other words, you could put an important file on your filer and then "touch" its mtime back to a time before the base dump of the incremental dump. If NDMP ignores ctime, then the file doesn't get included in the incremental dump. (Setting the mtime by hand bumps ctime).

The ctime is the last time file inode data was changed. ctime cannot be set to an arbitrary value. It is only bumped to the current system time as a side effect of some file operation. Changing file owner, group or permissions bumps ctime without affecting mtime.

Files also have an atime, which is the last time that data was read from the file. Not surprisingly, virus scanning software bumps atime whenever it reads a file. Some folks don't like that because if all files are scanned, then all files appear to have been accessed recently. You cannot identify files that have not been accessed recently by users. Because of this some virus scanners save the atime, scan the file, and then put back the old atime. Unfortunately, this bumps the ctime, so the file gets included in the next incremental dump.

If virus scanning software is causing your incremental dumps to be very large, then you can

1) Try to configure the virus scanning software to not put back the old atime. That way ctime and mtime are not bumped by the scanner. But then all files have a recent atime.

2) Tell NDMP to ignore ctime. Unfortunately, you may end up not dumping some files because mtime can be set by hand. Furthermore, some changes (such as owner, group or permissions) only bump ctime and do not bump mtime.

3) Run the virus scanner on a snapshot. The scanner cannot modify anything in a snapshot, including atimes and ctimes. Of course, the scanner can only identify infected files in a snapshot. It can't remove them.

Steve Losen scl@virginia.edu phone: 434-924-0640

University of Virginia ITC Unix Support