Issue

Large incremental backups are being seen

Cause

Large incrementals can be caused by numerous reasons, some common reasons are:

1. Backups of backups are being captured ie. SQL database dumps or ZIP backups to a location that is then captured by CyberSecure can cause a doubling-up of data
2. Maintenance tasks such as database reindexing or defrags: these cause sectors on the disk to move around, which some backup technologies will see as changes
3. A dirty shutdown can cause some technologies (such as ShadowProtect) to create a differential, which can be significantly larger than a standard incremental
4. An application is creating large logs or temporary files: we have seen this with some Trend Micro and Symantec software
5. Ransomware infection: ransomware deletes and encrypts files, which causes large changes
6. or simply alot of data was added, which may or may not be expected, we advise checking with your users, IT admins and/or audit logs to investigate further

Resolution

1. If the source of the large data changes is not immediately obvious, CyberSecure has developed numerous strategies to identify how to monitor changes on volumes to detect what programs are causing the changes
2. Processes such as SQL dumps can be redirected to separate storage or to volumes that are not included as part of the CyberSecure backup
3. Database maintenance tasks should be reviewed to ascertain if they are needed, or if moving those workloads to solid state/flash storage would negate the requirement of performing such frequent indexing.
4. If a system is frequently experiencing dirty shutdowns, the cause of these shutdowns should be investigated and resolved.
5. Applications creating large logs should be moved onto separate storage that is not being captured by the backups.