Windows XP and Millenium Edition use a system restore
feature that allows the reverting of the system to a previous
state, by reinstating files from an indexed backup, known
as 'restore points'. When enabled, 'system restore' keeps
track of changes in files by storing 'restore points' in
a special system directory labeled _RESTORE.
Except its many merits, 'system restore' also has downsides,
when it comes to viruses, and especially when trying to
get rid of them!
*Changes made to the system by Trojans, virus infection,
or worms, are treated by 'system restore' exactly the same
way as it would treat legitimate and benign changes, by
establishing a new set of restore points that actually reflect
the infected state! Consequently, an attempt to restore
the system may well reinstate the malware that you are trying
to get rid of, if you had the bad chance of ignoring that
the restore points also contain bogus files in them.
*Another problem stems from the properties of files stored
in the _RESTORE directory. With 'system restore' enabled,
these files cannot be modified, nor deleted, by antivirus
software. 'System restore' must be disabled in order to
disinfect them, or delete - in case the file is a Trojan.
As a general rule, disable 'system restore' before disinfecting
or cleaning ME or XP from malware, and re-enable it when
done with the cleaning. Check the following links from
Microsoft's Support for detailed instructions how to manage
'system restore' throughout antiviral procedures, on the
various platforms:
A different problem stems from the fact that restore
image files under _RESTORE do not keep their original name,
but are referred to by their index instead. This may create
InVircible false alarms. To explain the issue, suppose
that a file named Benign.exe caused an IV false alarm, and
you added 'Benign.exe' to the executables exclude list,
under IV options. Benign.exe will eventually be imaged by
'system restore' and will be given an index name.
If the image file is now accessed by Interceptor, for whatever
reason, then it will flag it as potentially infected since
Interceptor will not recognize the file with the index-name
as being part of the exclude list. To work-around this problem,
you may:
*Ignore the false alarm, if certain that it's caused by
the excluded file.
*A safer approach is to discard the image file from the
system restore database. Disable 'system restore' as explained
above, and remove the image file by aid of the IV Audit
& Integrity program. Deleting an application's restore
point won't affect its functionality.
Back
