Problem description
The backup process for the File Server was halted during the folder listing phase for share C and failed with the following error codes: Phoenix 228, Phoenix 189, and Phoenix 187.
Cause
The failure stemmed from interference caused by the endpoint antivirus software, Panda Security, which employs inline hooking. This technique involves injecting DLLs into active processes to monitor behavior. Unfortunately, this disrupted key Druva components such as:
PhoenixFSSnapshot.exe
PhoenixFSBackupAgent.exe
As a result, the sessions terminated unexpectedly without generating typical crash logs.
Traceback
Procmon logs revealed the creation of antivirus-related DLL files while PhoenixFSSnapshot.exe was active.
The process dump also confirmed the presence of antivirus-related DLL files(PSNInjComm64.dll) within PhoenixFSBackupAgent.exe.
Resolution
Step 1: Verify AV Interference
Collect the following for analysis:
Procmon logs
Windows Event Logs
Druva process dumps
Step 2: Identify Injected DLLs
Look for third party DLLs like PSNInjTools64.dll or PSNInjComm64.dll injected into Druva executables.
Step 3: Remediate
Create AV exclusions for the following:
Druva install directories
Druva Binaries: PhoenixFSSnapshot.exe, PhoenixFSBackupAgent.exe
Temp and log paths used by Druva
For detailed information refer the article
Note: Even with exclusions, AVs using inline hooks may still interfere. Full AV removal may be required for permanent resolution.
Preventive Measure:
Coordinate with your endpoint protection/AV team to ensure compatibility and proper exclusions for all Druva services to avoid similar behavior in the future.
See also