Big Warning against Malware + deleting Restore Points

[Alan_B]

I have seen recommendations in malware fighting forums that Restore Points may contain malware,

and should be deleted to ensure freedom from re-infection.

 

Victims so advised may think the CCleaner tool is a quick way of doing this,

and not realise that only the registry hives are removed but the malware files remain.

 

How about a warning of the hazard, and/or an option check box that actually removes all the files as well ?

[Andavari]

I'd think most giving anti-malware removal advice would either tell people to use Disk Cleanup, or to turn off then turn on System Restore to purge all old restore points that contain infections.

[Alan_B]

Agreed, that is universal advice from those who understand such things.

But sometimes a friend gives "helpful" advice.

 

And some people who let their machines get infected will tend to ignore advice when they think they have done enough.

 

Some people who use CCleaner to remove Restore Points are not aware that it is only the registry hives that are zapped,

and think of the CCleaner option as doing exactly the same as Disc Cleanup but with greater convenience.

[redhawk]

Turning off the System Restore is not smart if malware has damaged your system because you need to restore back to a workable state.

While it's true malware files and registry keys can lurk inside restore points this only becomes an issue if you perform a system restore.

In any case most good AV programs can scan and clean restore points so I really think the above advice is rather dated now.

 

Richard S.

[kroozer]

Some people who use CCleaner to remove Restore Points are not aware that it is only the registry hives that are zapped,

1. If that is true, why does my SVI volume drop by ~1 GB every time I use CC to delete a restore point?

 

I can confirm the size change in C:\System Volume Information with Defraggler and Command Prompt:

 

vssadmin list shadowstorage

2. Approx how large is the hive for one restore point?

______________________________________________________________________________

 

Additional notation:

I use CC to keep my allocation space below 10 GB.

 

 

The default max is 20.822, so if CC removed only the hives my allocation would be constantly maxed out.

[Alan_B]

Turning off the System Restore is not smart if malware has damaged your system because you need to restore back to a workable state.

While it's true malware files and registry keys can lurk inside restore points this only becomes an issue if you perform a system restore.

In any case most good AV programs can scan and clean restore points so I really think the above advice is rather dated now.

 

Richard S.

I will not argue with you about what is smart or not.

That I leave to malware fighting experts, and Andavari has seen the same sort of advice as I.

Personally I would rather ensure freedom from any residual silent killers,

even at the expense of a crippled system that needs reconfiguring and possibly the odd re-installation.

[Alan_B]

If that is true, why does my SVI volume drop by ~1 GB every time I use CC to delete a restore point?

Accepted, now for details.

 

On XP I had after disc cleanup removed all but the last RPxxxx

C:\System Volume Information\_restore{F6EA6CAA-B744-447E-8F9E-B9A9507C7CB4}\RP1145

This held a folder "snapshot" which contains 29 Files and 2 Folders with a Size of 58.8 MB,

compressed to Size on Disc of 27.8 MB

The largest hive is _REGISTRY_MACHINE_SOFTWARE at 20.8 MB,

second is _REGISTRY_MACHINE_SYSTEM at 16.9 MB

third is, but I am bored so to summarise, there are another 17 hives going down to 8 KB

and then another folder Repository with another 4 MB

 

Everything in this "snapshot" is zapped when CCleaner "Deletes Restore Point"

 

This ...\RP1145 folder also holds 70 other items which total 5.13 MB,

and these are mostly A0*.ini files but also A0*dll and even a mozilla A0*.mfl.

 

My experience is that typically 90% of the size of RPnnnn is deletable registry hives in "snapshot",

and 10% are A0*.* files that are the only backup copies of deleted system files,

and this 10% is preserved (including any hiding malware) so the backups are never lost.

 

Vista and Win 7 take much more than 55 MB per Restore Point.

Pleased to say that on Win 7 I am free of the burden,

no Restore Points at all because a daily Macrium backup gives total restoration of system and my user data,

and it only costs me about 70 to 80 MB per day, or up to 250 MB when my A.V. signature file is updated.

The only time it reaches 700 MB is when I permit a monster patch Tuesday to hammer the system.

[Andavari]

In any case most good AV programs can scan and clean restore points so I really think the above advice is rather dated now.

Thankfully there's things called False Positives, I've seen antivirus programs unable to remove them from System Volume Information. Not that I'd even be worried about them failing to deal with that location because for registry backups I use ERUNT, and for actual true system restoration I use Macrium Reflect and my Macrium backups are always current enough that any updates afterwards would be minimal.

[Super Fast]

Turning off the System Restore is not smart if malware has damaged your system because you need to restore back to a workable state.

While it's true malware files and registry keys can lurk inside restore points this only becomes an issue if you perform a system restore.

In any case most good AV programs can scan and clean restore points so I really think the above advice is rather dated now.

 

Richard S.

Richard, I have to disagree with you on that.

 

I have encountered some nasty rootkits before that even the latest greatest MalwareByte's + updated definitions, Spybot, & others were unable to touch.

There are rootkits that bury themselves deep enough, that if you leave someone with a restore point that may be infected, & they restore back to that infected point, you will find yourself re-cleaning that computer.

 

Although it is true that good AV programs can find SOME of the malware hiding in restore points, they cannot find it all. I have had enough slip by to know.

Turning off the restore points IS a good idea if you really want to keep a system from getting re-infected in certain instances.

 

I may leave the restore points if it is something that wasn't too nasty, but sometimes, you have to remove them in order to ensure a clean system. It's not an option anymore. It's a requirement.

[hazelnut]

It is not a requirement to delete all restore points in order to insure removal of all malware.

 

Someone could read that, and turn off system restore before running their av and if a nastie is removed and it borks the system then they have no way back (and don't say they should have had an image)

 

A lot of malware removal specialists would say that have a restore point available to a user to 'get back in' is better than having to do a system install.

 

Please be more aware of advice that you write Super Fast, it gets read by people who may not have a lot of experience with malware, images and operating systems in general.