Re: Virus in system restore
- From: "Bert Kinney" <bert@xxxxxxxxxx>
- Date: Fri, 10 Feb 2006 14:07:38 -0500
Eric Baines wrote:
Ithought I had a decent virus checker. I use Sophos, which has a real
time scanner and is updated daily. It told me that it had scanned the
three items in the zip file and they were OK. But when I unzipped it,
out popped five items and Sophos immediately popped up saying that
there was a virus in one of them.
Some infection within zip files can be hard to detect. You may want to
send Sophos an email and see what they have to say.
Sophos - Technical support
http://www.sophos.com/support/
What I really can't understand is how the file got into a restore
point so fast. As soon as I got the warning, I deleted all the files,
emptied all wastebaskets etc. It was almost as if the restore point
was operating as a secondary wastebasket - that isn't how it works is
it?
Here's how it works. System Restore constantly monitors key system and
application file changes. Tracking these file changes is necessary to
fully restore the system to a particular state. This aspect of the
feature works to record and, if necessary, preserve a previous file
state, which enables the user to restore to a previous system state.
This change tracking will not interfere with the user's performance
experience.
To track and copy files before changes, System Restore uses a file
system filter driver that is at the kernel level (called Kernel Mode).
This kernel level filter driver monitors file system operations, and,
for select file types and operations, quickly interrupts an operation
(for example, DELETE FILE) and copies or moves the original file before
the operation is complete. The file changes are entered into a log, and
the file copies and logs are stored in an archive on the drive or
partition where the original file resided. Change-based file copying
happens once per specific file per system session or for any given
restore point.
I just did an experiment while monitoring the current restore point
folder (#96) in the System Volume Information folder to see when a file
is actually copied and written to disk in the restore point folder.
Test #1
1. Moved an exe file to the desktop: It did not show up in the restore
point (RP) folder.
2. Moved the exe file to the recycle bin: It did not show up in the RP
folder.
3. Emptied the Recycle Bin: The exe file was written to the RP folder.
4. Created a new restore point and check the RP folder (#96) and the
file was still there, and a new restore point folder was created #97.
Test #2
1. Moved an exe file to the desktop: It did not show up in the most
current (RP) folder #97.
2. Held the Shift key down (to bypass the recycle bin) and clicked
Delete: The exe file did not show up in the RP folder #97.
So you see, when the file in question was deleted, and the recycle bin
emptied, the file is copied and written to restore point folder.
Bypassing the recycle bin prevents the file from being copied and
written.
Thanks for the point about not relying on restore points older than a
week - it is a good reminder. In fact, the only time I wanted to use
a restore point it didn't work. It seems like they might be a nice
idea, but need a bit more development to become reliable?
It's not likely we will see changes to the design of System Restore in
WindowsXP. : - (
--
Regards,
Bert Kinney MS-MVP Shell/User
http://bertk.mvps.org
"Bert Kinney" wrote:
Eric Baines wrote:
How do I remove a file infected by a virus from within the system
restore directory?
Disabling System Restore on all partitions/drives should remove all
stored files, including the files containing infection. Using Disk
Cleanup to remove all but the latest restore point may not be the
best approach. The latest restore point is most likely where the
infected file will be located.
I recieved an email the other day that was a .zip file. I downloaded
it to my PC and virus scanned it using Sophos. It said that it had
scanned 3 items and they were OK. So I unzipped the file. It
unzipped 5 files and immediately told me that one of the files was
a .exe that was infected with a virus. I immediately deleted all
the files, without running any of them and cleared my wastebasket.
It can't have been on my disk for more than a minute. I thought I
had sorted the problem.
The next day, the scheduled disk scan kicked in, and said I had a
copy of this virus in the directory that stores my restore points. I
tried to go to the directory, but even though I am an administrator
on that PC, it wouldn't let me go into the directory.
I was unsure what to do, but was determined to get rid of this
thing. Therefore, I switched off system restore, so it deleted all
the files in the directory. I scanned the directory and it said it
was OK. I then switched system restore back on, and when it had
done that, I scanned the whole disk, and it said I was OK.
But system restore is there for precisely this sort of situation -
where your PC is damaged and you want to go back to an undamaged
state.
System Restore was not designed to be an antivirus or malware removal
tool and should not be depended on to do so. A good up to date
antivirus application should have caught the virus before the email
was opened. A good antivirus application should have the ability to
scan within zip files.
What should I have done, that would have got rid of this file,
without getting rid of all my restore points?
I would suggest getting another antivirus application that has a
real-time scanner as discussed above, and set it to update daily.
Cheers
Eric
--
Regards,
Bert Kinney MS-MVP Shell/User
http://bertk.mvps.org
.
- References:
- Re: Virus in system restore
- From: Bert Kinney
- Re: Virus in system restore
- From: Eric Baines
- Re: Virus in system restore
- Prev by Date: Re: c0000218 error
- Next by Date: Re: new xp installation and SATA issue?
- Previous by thread: Re: Virus in system restore
- Next by thread: Re: SP2-Starts & Crashes
- Index(es):
Relevant Pages
|
