CAV and XP System Restore - problems?

I have XP Home SP3 and the latest CAV. Are there any known issues between XP System Restore and CAV? e.g. Does CAV penetrate a restore and if it finds an infected file, clean it? If so, I assume the restore would not then work as it would not be the restore that was saved. In that vase, could I configure CAV not to clean a restore, and if so, how?

Hi xylophone

CAV will scan system volume information restore, and if it finds an infected file will take the appropriate action. The restore will probably not work unless the infected file was non critical for windows operation. I don’t know of any way to exclude a restore point from the scan as the only setting is for allowed extension scan. You can uncheck “automatically disinfect objects” and this will give you a choice of what to do when the virus is found.

John

Many thanks, John, for your swift reply. I don’t understand what ‘volume information’ means. Is that contained in one of the My Documents I refer to, and if so, which one/s? I f not, where is this ‘information’ in Explorer?

I found your advice “if it finds an infected file will take the appropriate action. The restore will probably not work unless the infected file was non critical for windows operation. I don’t know of any way to exclude a restore point from the scan as the only setting is for allowed extension scan. You can uncheck “automatically disinfect objects” and this will give you a choice of what to do when the virus is found.” very helpful, as it has given me a hang on how I should be thinking about this potential problem.

If CAV finds something in the restore, and I have unchecked “auto disinfact objects”, how will I know from the message I then receive from CAV - what do you want to do with these? - which of them is inside the restore? - what would be the path it would mention? - takes me back to my question at the start of my reply here

Hi xylophone

System volume information is a hidden file that contains your restore points. CAV will see it and scan it. It will tell you what virus it has found and where it is found so you will know what to do with it. You will be asked by CAV and you will probably will want to either delete it anyway even if it is in a restore point. Restore points are often infected when a virus is found on a machine and any set after the infection should not be used.

John

Thanks. On Access scan provides for auto disnfect or deny access to infected objects. Thinking of an infection in a restore, should I activate deny access, and if so, what effect would that have on the restore?

BTW, what is the difference between On demand and On access? Never really undserstood this.

Either way will corrupt the restore point and you should remove it.
I would try disinfect and then remove the restore point and try another one.

From Wikipedia:

Real-time protection, on-access scanning, background guard, resident shield, autoprotect, and other synonyms refer to the automatic protection provided by most antivirus, antispyware, and other antimalware programs, which is arguably their most important feature. This monitors computer systems for suspicious activity such as computer viruses , spyware, adware, and other malicious objects in 'real-time', in other words while data is coming into the computer (for example when inserting a CD, opening an email, or surfing the web) or when a file already on the computer is opened or executed, in other words loaded into the computer's active memory.[1] This means all data in files already on the computer is analysed each time that the user attempts to access the files. This can prevent infection by not yet activated malware that entered the computer unrecognised before the antivirus received an update. Real-time protection and its synonyms are used in contrast to the expression "on-demand scan" or similar expressions that mean a user-activated scan of part or all of a computer.

John

Thanks,

It appears that as CAV will detect infection within a restore point, and that restore point will therefore become corrupted, the best approach boils down to allowing CAV its head and if it disinfects anything, be it anywhere on the PC, say, on 20 July, 2008, to delete the restore point or points created before that date, and then create a fresh restore point after that date, which will not be corrupted. Is this a fair resume of the approach to take?

You should NOT restore your OS to an infected state. It’s always recommended to completely wipe all restore points (i.e., completely disable and re-enable System Restore) when your box gets infected. Whether the infection itself gets deleted from \System Restore Information depends on whether a particular AV products runs under SYSTEM account (having the required privs to that directory), if it does, the restore point shall become unusable and that’s correct anyway, it shouldn’t be trusted.

Sounds like it. Anyway, CAV 3 will be even better.

I recommend turning off then on system restore:


Steps to turn off System Restore

  1. Click Start, right-click My Computer, and then click Properties.
  2. In the System Properties dialog box, click the System Restore tab.
  3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
  4. Click OK.
  5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
    You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Reboot your computer Then turn it on:


Steps to turn on System Restore

  1. Click Start, right-click My Computer, and then click Properties.
  2. In the System Properties dialog box, click the System Restore tab.
  3. Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
  4. Click OK.

After a few moments, the System Properties dialog box closes.

This will wipe out all restore points, getting rid of viruses in system restore.

Then after I suggest running a virus & spyware scan.

Josh

So you agree with me. Right?

Well, not really sure… :slight_smile: Yeah, it will “corrupt” infected restore points. But no, as I said - you shouldn’t rely on those infected ones, so adding those directories to CAV exclusions is not something I’d recommend. Most AV vendors recommend completely purging System Restore in case of infection, see above for howto. :wink:

I thought you were replying to my reply no 6.

Ah, OK. Yeah then. :wink: