Malware Re-Detection within System Restore files

Files that you add to the Exclusion List are re-detected within the system restore files and due to Windows naming conventions it is not obvious that these files pertain to one of the Excluded files.

I think other scanners would do that as well. It is actually useful to detect malware that got caught in system restore.

However, system restore files seem to be a favorite of false positives as well…

I’ve done many tests of scanning my system with multiple AV and spyware/adware apps and confirm I have a clean system. I then create a restore point, and more often than not, Avira likes to flag the new restore file. And it appears as though Comodo is prone to this as well.

Since I keep a tight system, I’d prefer them to ignore the system restore files, although I know this isn’t a great procedure for most people.

Not a good move to ignore the system restore files. There are a couple of examples of malware that write themselves directly to an old restore point and then cause an error that can lead a user to invoke System Restore, thereby causing the malware to be inserted into the system under system priveleges.

Regardless of how good I think my system is, I either A) never ignore System Restore files or B) disable system restore.

Ewen :slight_smile:

Yes, Panic… you have a point. What I normally do is after a virus is quarantined (if I am sure of that it is not a FP) … I would create a restore point and delete all the previous restore points using disk clean up…

Best of both worlds! Good idea - I might adopt that one.

Ewen :slight_smile:

You can open the System Restore folder so an AV program or user can remove malware. This way you don’t loose all your system restore points. Read how to do so: .

Yes, that’s what I’m saying. You can completely overscan your system with multiple security applications. Then you create a new restore point. (no old ones on the system) Then scan again. Don’t be surprised when one or two of your apps decide there is malware in the restore point of your clean system…

Yes, we can open it… [This can even be done with programs like CSC (check wipe feature)] … but as soon as we access the system volume information (with virus) the realtime AV will trigger that it detected a virus and will (or ask to) quarantine it… you remove it from quarantine and it will safely find a place in another system restore folder… that way it will remain in your computer… though not active.

In case … somehow we click the system volume when the realtime AV is off… the damage will be done! System restore is a great feature to help us… but, in cases like this… it is better to remove the affected ones… for our own safety.

Hence, I prefer to turn off those system restores and rely on latest system restore in such cases.