Go to NetZ Home

Site Map
Support
    Knowledge Base
    Single Installation
    Network Installation
    Network Administration
    Bug Report
Registration
Downloads
Information

  

Subscribe to mailing list

Send To a Friend

Search the Knowledge Base

'System Restore' and malware issues

Windows XP and Millenium Edition use a system restore feature that allows restoring the system to a previous date's state, by restoring files from an indexed backup, known as 'restore points'. When enabled, 'system restore' keeps track of changes in files by storing 'restore points' in a special system directory labeled _RESTORE.

Except its merits, 'system restore' also has downsides, when it comes to viruses, and especially when trying to get rid of them!

  • Changes or additions made to the system by Trojans, virus infection, or worms, are treated by 'system restore' exactly the same way as it would treat legitimate and benign changes, by establishing a new set of restore points that actually reflect the infected state! Consequently, you may restore from an infected set, ignoring that the backup was compromised, and reinstate the malware that you are trying to get rid of.


  • Another problem stems from the properties of files stored in the _RESTORE directory. With 'system restore' enabled, these files cannot be modified, nor deleted, by antivirus software. 'System restore' must be disabled in order to disinfect them, or delete - in case the file is a Trojan.


    • As a general rule, disable 'system restore' before disinfecting or cleaning ME or XP from malware, and re-enable it when done with the cleaning. Check the following links from Microsoft's Support for detailed instructions how to manage 'system restore' throughout antiviral procedures, on the various platforms:

  • A different problem stems from the fact that restore image files under _RESTORE do not keep their original name, but are referred to by their index instead. This may create InVircible false alarms. To explain the issue, suppose that a file named Benign.exe caused an IV false alarm, and you added 'Benign.exe' to the executables exclude list, under IV options. Benign.exe will eventually be imaged by 'system restore' and will be given an index name.

    If the image file is now accessed by Interceptor, for whatever reason, then it will flag it as potentially infected since Interceptor will not recognize the file with the index-name as being part of the exclude list. To work-around this problem, you may:


    • Ignore the false alarm, if certain that it's caused by the excluded file.


    • A safer approach is to discard the image file from the system restore database. Disable 'system restore' as explained above, and remove the image file by aid of the IV Audit & Integrity program. Deleting an application's restore point won't affect its functionality.


    Back to page on PE viruses

    Last modified: 18 May 2003

Send this page to a friend

Back to Knowledge Base