Page 1 of 2 12 LastLast
Results 1 to 15 of 28
  1. #1
    Star Lounger
    Join Date
    Dec 2009
    Location
    New York, NY, USA
    Posts
    75
    Thanks
    36
    Thanked 4 Times in 3 Posts

    Can viruses hide out in System Restore points?

    Having received conflicting opinions on this point, I'm hoping you sharpshooters can give me a definitive answer.

    I'm running Windows 7 Pro. A recent system scan with Malwarebytes turned up two bugs, which I've removed. The question is, are duplicates of these bugs hiding out in various System Restore Points, and if so, why? Why wouldn't Malwarebytes (or any antivirus software) also scan System Restore points? The notion that restore points are somehow "exempt" from scanning defies all logic and common sense.

    Yet I've had people tell me that if a virus turns up my computer, it's best to delete all System Restore points lest I reinfect my system.

    Your thoughts on this would be greatly appreciated, and thanks!

  2. #2
    Silver Lounger
    Join Date
    Oct 2012
    Posts
    2,335
    Thanks
    13
    Thanked 267 Times in 260 Posts
    Antivirus may not have enough permission to remove malware from restore files until system restore is disabled. Malware may also be in a dormant stage in restore files that is not as detectable. Also, once cleaned and operating normally again it's a moot point to trust or use an old system restore point; make a new one, delete the rest and move on.
    Malware is often placed in the restore point files to keep anyone from so easily removing the malware. However, using a system restore point can often get a system that is almost beyond functional back to a state in which it can be scanned and cleaned more readily so they are not completely useless after a malware infestation.

  3. The Following User Says Thank You to F.U.N. downtown For This Useful Post:

    BrooksNYC (2013-08-01)

  4. #3
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    I am no expert, but I would think that System Restore may get contaminated if the system was already contaminated and a restore point taken.This would mean that infected files would be saved in System Restore and restoring those files might then get the infection back.

    Presuming that all infections will have infected System Restore is wrong. Actually, restoring the system to a previous restore point is, sometimes, an effective way of getting rid of easier to clean infections.

    This means that a blanket statement that you should always delete restore points is clearly excessive. Whether you should or not, depends on the infection, the time it occurred and whether system files were clean at the time the restore points were made.
    Rui
    -------
    R4

  5. #4
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    284
    Thanked 574 Times in 478 Posts
    I've seen anti virus software and anti malware like MBAM and SAS (SuperAntiSpyware) pinpoint infections in the Restore points in the past.

    It's best to save those Restore points, just in case clean up attempts go badly wrong. Sometimes reinfecting and having to clean up again is better than having an non-bootable computer.

    Once you are completely certain the machine is clean (best to have experts in the specialist malware forums check that, save all your logs for them too), System Restore can be disabled and the machine rebooted before re-enabling SR and creating a fresh Restore point.

    Some software, CCleaner for instance, can selectively remove Restore points (except the most recent usually) if you can detect which RPs are infected.

  6. The Following User Says Thank You to satrow For This Useful Post:

    BrooksNYC (2013-08-01)

  7. #5
    Silver Lounger
    Join Date
    Oct 2012
    Posts
    2,335
    Thanks
    13
    Thanked 267 Times in 260 Posts
    Quote Originally Posted by ruirib View Post
    I am no expert, but I would think that System Restore may get contaminated if the system was already contaminated and a restore point taken.This would mean that infected files would be saved in System Restore and restoring those files might then get the infection back.
    Yes, that's certainly the case as well and even more reason why a restore point cannot be trusted but may aid in malware removal if the point of infection cannot be inferred, and the same self-determining logic stands for deleting all restore points after an infection is cleared up. In other words, if a restore point stands up to all malware scans and returns a clean bill of health, that is your new starting point for restore points.

  8. #6
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,572
    Thanks
    5
    Thanked 1,057 Times in 926 Posts
    I've never read of any instance of malware infecting any existing Restore Point. That doesn't mean that it can't happen only I've never read about it. If you have an infection when the Restore Point is created then the Restore Point will be infected. Restoring an infected restore point will restore the infection too. Cleaning restore points is usually fruitless. You either have to delete them or let them disappear on their own as they will be automatically deleted at some point.

    Joe

  9. #7
    Star Lounger
    Join Date
    Dec 2009
    Location
    New York, NY, USA
    Posts
    75
    Thanks
    36
    Thanked 4 Times in 3 Posts
    Am grateful to all of you for your input. Let me rephrase my question slightly:

    If (as I believe to be the case) my system was infected a month ago, it seems reasonable to conclude that every restore point created since the date of infection would contain a copy of the infection.

    Today's malware scan detected malware in ONE folder.......and nowhere else. If there are multiple copies of the virus lurking in System Restore points — and logically, there ought to be — why didn't the scan detect them?

    Quote Originally Posted by F.U.N. downtown View Post
    Antivirus may not have enough permission to remove malware from restore files until system restore is disabled.
    And that may be the answer. But why would Windows withhold permission from a virus scanner for any reason? If I were Windows, I'd roll out the welcome mat to any virus scanner that felt like dropping by. "Glad you could come," I'd say. "Let the killing begin."

    Anyway, I'll go ahead and delete my old System Restore points, and start fresh. Thanks again, everyone.
    Last edited by BrooksNYC; 2013-08-01 at 00:36.

  10. #8
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,486
    Thanks
    284
    Thanked 574 Times in 478 Posts
    Your computer may have been infected a month ago, perhaps your System wasn't. Sounds strange, eh?

    System Restore does just that, it restores the System, not all files and folders on the computer. All it does is creates copies of vital System files and some Program files and creates copies of Registry entries. Exact details will vary according to which Windows OS is in use.

    You only need to look at the size occupied by SR; for many years, I've always restricted SR to use only 4-5% of the System drive, that's still enough for several SR points. On my current 120GB SSD, it's down to 1%, yet that's still more than enough for a single SR to be stored (but I do only have 32GB space used).

  11. The Following User Says Thank You to satrow For This Useful Post:

    BrooksNYC (2013-08-01)

  12. #9
    Star Lounger
    Join Date
    Dec 2009
    Location
    New York, NY, USA
    Posts
    75
    Thanks
    36
    Thanked 4 Times in 3 Posts
    Thank you, Satro.

    I seem to have an overly simplistic understanding of what System Restore does. I'd assumed it created copies of everything except for personal data. The reality is obviously not so cut-and-dried.

    So how's this for a strategy going forward:

    1. Scan for viruses, and remove any infections.
    2. Confirm that system is functioning normally.
    3. Create a new post-scan System Restore point.
    4. Delete all previous System Restore points, just to be safe.

    Sound okay?

  13. #10
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    If 1. is effective, that means your antimalware apps can deal with whatever infections got to your system. This means that if you restored your system, the same apps would be able to deal with the infection. This said, I don't see 4. to be a need, especially in case the infection didn't affect existing restore points.
    Rui
    -------
    R4

  14. The Following User Says Thank You to ruirib For This Useful Post:

    BrooksNYC (2013-08-01)

  15. #11
    Star Lounger
    Join Date
    Dec 2009
    Location
    New York, NY, USA
    Posts
    75
    Thanks
    36
    Thanked 4 Times in 3 Posts
    I see your point, Rui, and thanks. Makes sense.

  16. #12
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Quote Originally Posted by BrooksNYC View Post
    I see your point, Rui, and thanks. Makes sense.
    You're welcome .

    There is no harm in doing 4. I just don't believe in applying recipes without thinking about it a bit more. if you want to play safe, yes, 4. is the way to go, but you won't be infected just because you decided to keep your restore points.

    One thing that we haven't addressed here is the other layer of your safety net - system backups. If you browse around and if you regularly read our forum, you will know many of us are system imaging "zealots". An up to date image is your best safeguard against all kinds of threats, may those be hardware malfunctions or software issues, whether they are caused by malware or not. I image my systems once a week, using alternate external hard drives. That has kept me from serious data losses a few times.
    Rui
    -------
    R4

  17. #13
    Star Lounger
    Join Date
    Dec 2009
    Location
    New York, NY, USA
    Posts
    75
    Thanks
    36
    Thanked 4 Times in 3 Posts
    I hear ya.

    I actually purchased and installed Macrium Reflect Pro on this new laptop, but haven't backed up my system because the instructions scare the bejesus out of me.

    Plus, after browsing support forums for Macrium and a handful of other system imaging apps, it's obvious that infallible imaging software doesn't exist. And lord help me if something goes wrong, because the jargon on those support forums is so arcane it might as well be braille.

    I've long admired you "system imaging zealots" and would like to learn how to do system backups, even if it means hiring someone to walk me through it. Times being what they are, I can't swing that right now, but it's on my bucket list!

    Last edited by BrooksNYC; 2013-08-01 at 17:28.

  18. #14
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Can this be of help?



    There are more where this one came from:

    http://www.youtube.com/user/Macrium?feature=watch
    Rui
    -------
    R4

  19. The Following User Says Thank You to ruirib For This Useful Post:

    High Sierra (2013-08-11)

  20. #15
    5 Star Lounger
    Join Date
    Mar 2010
    Location
    east coast
    Posts
    701
    Thanks
    89
    Thanked 8 Times in 8 Posts
    yes
    of course they can

    you should totally scrub your pc using every possible program to ensure that there are no virus or other problems lurking before doing a restore point

    you do not need to delete them all

    should one contain a virus
    just keep going back until you get to a clean one

    Quote Originally Posted by BrooksNYC View Post
    Having received conflicting opinions on this point, I'm hoping you sharpshooters can give me a definitive answer.

    I'm running Windows 7 Pro. A recent system scan with Malwarebytes turned up two bugs, which I've removed. The question is, are duplicates of these bugs hiding out in various System Restore Points, and if so, why? Why wouldn't Malwarebytes (or any antivirus software) also scan System Restore points? The notion that restore points are somehow "exempt" from scanning defies all logic and common sense.

    Yet I've had people tell me that if a virus turns up my computer, it's best to delete all System Restore points lest I reinfect my system.

    Your thoughts on this would be greatly appreciated, and thanks!

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •