How to translate detected system recovery files to discover original source

Hey folks! I have several CAV heuristic & suspected detected files that are in my system recovery folder. Upon accessing those files, I cannot tell what their source is, like one can in say system32.

I don’t want to quarantine or remove them, cause that will disable the files for system restore purposes. Just need to be able to tell this files are in normal terms, and the decide what to do.

Anybody got any ideas. My appreciation, in advance. Diligent.

Edit: Below is a screenshot of CAV events, to clarify further, and one partial example.

One SVF reads: C:\System Volume Information(DDE…2F0)\RP88\A0014453.exe

[attachment deleted by admin]

set cav heuristic to off. Ended prob. This setting is simply BS guesser game. Don’t know what it is? Then call it a prob, with the result all users have a prob. Not honest! My best (to users), Diligent

Well said, I’m afraid…


There is no way to know where those files are comming from. :frowning:

I would say leave the heuritics on low. Since they are detecting a lot malware (sever bassed heuristics) And just report any Heur.suspicous@xxxxxxxx in the FP board, as for Heur.Pck & Heur.Packed.Unknow, that can only be fixed by having the file. :frowning:

@ OmeletGuy.

Thanks for the response. The question, really, was not where “they are coming from” but rather how to identify them from the system restore file location info CAV provides. I was able to identify enough, to know what the entries were in fact, and from there I knew that they were not malware.

In other words, CAV is picking up (e.g.) exe’s that it does not recognize, and nothing more. The bottom line, is that these legitimate exe’s do not need any comodo analysis. I now know what they are.

But I also know that I do not need to spend the time trying to figure out or submit CAV detections just cause CAV does not know what (say) thirty (30) exe’s are. Get what I am saying.

I also set my system restore to 1%, so soon these certain exe’s will be purged and meanwhile they cannot activate while sitting in system restore.

Thanks for the effort, My Best Diligent.

P.s. BTW, The CAV heuristics setting was set at low, which is now off.

I dont want to know how many FP’s you would get with it on High. btw i looked at the picture you attached, and you can report the FP’s in the FP section, just report the full name, and follow this guide.


Your looking for tools and posts like this:

@ Ronny. That is exactly the type of info I was originally seeking. :wink: Thanks much!!

@ OmeletGuy. Sorry, but seems we are not communicating. Tomorrows another day! Diligent. :slight_smile:


So did any of those give you some nice tools / info, I’m curious :wink:

The basic info was there. I had already gotten through>>on my own>> the subject matter of about two-thirds of those articles. Haven’t got back to it, but could see that the info was refined enough to figure it out. The idea (as you likely figued out) was to identify FPs quickly, so as to avoid worry fuss etc. When I get to it will be sure to let ya know. Tks, Diligent.

Harlan Carvey’s great when it comes to registry forensics. Since he’s not in these forums (afaik), I’ll go ahead and plug his books for him. Just a note - he loves perl scripting so get ready for it (you get a little hint of it in that one blog post). Most (if not all) of his stuff is written in perl; fortunately for those not using perl, he’s used perl2exe to make Windows executables from them.

I also set my system restore to 1%, so soon these certain exe's will be purged and meanwhile [b]they cannot activate[/b] while sitting in system restore.
Are you 100% certain of that? There's research that suggests some malware can hide/survive in RP's and restore themselves to the system automatically (recurring infection) without the user doing anything...


Note: It’s kind of a joke in some forensic circles that Harlan plugs his books whenever he gets a chance. But hey, they’re good, he researched and wrote 'em, so more power to him. I’m just glad they’re available…

Hey. My statement that exe’s in system restore files won’t activate came from Microsoft. But that could be changed in the course of evolving methods.

You are above my head on the RP’s. Ya mean deleting an exe does not eliminate it?

Also, I was actually speaking to legitimate program exe’s that I discovered were the ones that CIS was targeting.

Thanks for the info, Diligent.