Go to NetZ Home

Site Map
Support
    Knowledge Base
    Single Installation
    Network Installation
    Network Administration
    Bug Report
Registration
Downloads
Information

  

Subscribe to mailing list

Send To a Friend

Search the Knowledge Base

'System Restore' and malware issues

Windows ME, XP and Vista now, use a system restore feature that allows restoring the system to a previous date's state, by restoring files from an indexed backup, known as 'restore points'. When enabled, 'system restore' keeps track of changes in files by storing 'restore points' in a special system directory labeled _RESTORE.

Except its merits, 'system restore' also has downsides, when it comes to viruses, and especially when trying to get rid of them!

  • Changes or additions made to the system by Trojans, virus infection, or worms, are treated by 'system restore' exactly the same way as it would treat legitimate and benign changes, by establishing a new restore point that actually reflect the infected state! Consequently, you may restore from an infected set, ignoring that the backup was compromised, and reinstate the malware that you are trying to get rid of.


  • Another problem stems from the properties of files stored in the _RESTORE directory. With 'system restore' enabled, these files cannot be modified, nor deleted, by antivirus software. 'System restore' must be disabled in order to disinfect them, or delete - in case the file is a Trojan.


    • As a general statement, AV producers recommend to disable the 'system restore' feature before cleaning from virus or malware, and re-enable it when done with the cleaning.

    The real problem with this recommendation is that by disabling 'system restore' you also lose all its 'resore points' and may practically lose the only chance to recover from that malware.

  • A different problem stems from the fact that restore image files under _RESTORE do not keep their original name, but are referred to by their index instead. This may create InVircible false alarms. To explain the issue, suppose that a file named Benign.exe caused an IV false alarm, and you added 'Benign.exe' to the executables exclude list, under IV options. Benign.exe will eventually be imaged by 'system restore' and will be given an index name.

    If the image file is now accessed by Interceptor, for whatever reason, then it will flag it as potentially infected since Interceptor will not recognize the file with the index-name as being part of the exclude list. Our advice is to ignore alerts given on files that have the _RESTORE string in their name.


Back to page on PE viruses

Last modified: 05 Mar 2009

Send this page to a friend

Back to Knowledge Base