!Duplicacy deleted all my EXEs, MSIs, DLLs, and LNKs from the backup source directory structure (recursively)

Support
#1

What’s going on? All the EXEs, MSIs, DLLs, and LNKs have been removed from the folder structure that I attempted to backup to Personal OneDrive using Duplicacy.
(including CMD, BAT, INI, CONFIG, CAT, INF, SYS, ICO, REG)

Every EXE, MSI, DLL, and LNK within the Source directory I backed up to OneDrive Personal using Duplicacy has disappeared with other non-executable files remaining intact.
Microsoft Defender anti-virus did not detect, quarantine, or do any deletions itself.
Thankfully I have an alternative backup (via robocopy) of the source directory, so I can restore the files that have gone missing.
This bug makes Duplicacy dangerous
I think the behaviour must be a terrible bug, because if it were otherwise malicious the code would have gone after other files on my system.

I’m going to reproduce the behaviour and perform a system trace as I’m a curious cat.

I’ll provide my findings below:

  • Microsoft SFCScan and DISM tools did not find any system file or integrity issues, so I’m certain the files going missing issue is isolated to executable binaries in the directory structure targeted by Duplicacy for backup.
  • Malware scans came back negative - except for the occasional false positive from over ambitious AV vendors. I verify suspicious files against VirusTotal.com’s battery of AV engines.
  • Given the binaries targeted hints at some sort of malicious code somewhere on my system triggered by the backup - but scans from multiple malware vendors came back negative, including Process Explorer use of Virus Total.
  • I’ve put the following back into place using a PowerShell script:
    $fileTypes = @(".exe", ".msi", “.dll", ".lnk”, “.cmd", ".bat”, “.ini", ".config”, “.cat", ".inf”, “.sys",".ico”,"*.reg")
#2

This is highly unlikely. The backup process is strictly read-only, and EXE, MSI, and DLL files are not treated any differently from others. You can verify this in the source code at GitHub - gilbertchen/duplicacy: A new generation cloud backup tool.

But yes, please try to reproduce the issue and share your findings here.

#3

Thank you, GChen, for the reassurance that the behaviour is not expected.
I’ll attempt to reproduce on a small sample and share the findings.
I’m running out of time today, so I may not have anything solid to share until tomorrow.

#4

So I reproduced the issue once whilst taking a SysInternals Process Monitor trace. The trace did show Duplicacy accessing the files in read-only mode.
I noticed that on the text files that were kept, Windows Defender scanned/accessed them at the same time as Duplicacy; but for the executables Defender did not touch.
Note: Although executable binaries disappeared locally, I could restore them from the Duplicacy backup that had just finished.

I suspect the problem to be something to do with Microsoft Defender, but I then could not reproduce the problem again after the initial trace no matter if I had AV enabled/disabled; removing and recreating storage from scratch; removing and recreating backups; etc. And, I’m sort of happy I cannot reproduce it because it means I can get on with archiving to the cloud. :slight_smile:

I will keep my eye out for the issue if it happens again.

Using Duplicacy is my secondary (offsite) backup so if the issue happens again I can always bring the binaries over from my locally stored robocopy backup via script.

Really bizarre.

I plan to break my Duplicacy backups into smaller chunks so they don’t run for hours.

Thank you for getting back to me so quickly GChen!
Cheers,
Nichm

#5

@gchen
I’ve just finished backing up all my personal files to OneDrive as four separate backup jobs.
Everything is running smoothly now. No missing exe nonsense.
Very happy with the solution. Comforting to know my files are protected in the cloud from prying eyes.
Thank you!

1 Like