Accidental wipes

[Queenie1946]

Howdy,

 

We do not know if CCleaner is responsible, but from what we can find out, this is the most likely culprit. What happened is this: on 14 September 2011 at 16.45 & 16.46 CET, the contents of two folders on a data drive was wiped due to an unknown event. The contents consisted of various video files (.avi format). We checked with Recuva, and could determine that the files were wiped and subsequently overwritten as we only detected the problem on 22 September. None of the files could be recovered. Antivirus software logs registered no activity on their part. The initial theory that the files were somehow classified as "hidden" was thus proven wrong. According to the Tech Guys at Microsoft, a rogue action by the cleaning software (CCleaner is the only one we have) is the most likely candidate.

 

Has anyone had similar experiences, and if so, what can be done to prevent this from happening again?

 

Finally, I'd like to point out that CCleaner is only run manually, their are no scheduled tasks, and at has been a while since we ran it (usually once every two months).

 

Thanks.

[Winapp2.ini]

Which operation system was effected?

 

Where were the files located?

[Alan_B]

I think that CCleaner only uses the APIs that are incorporated within Windows for such things as defragging and wiping / erasing.

These APIs could be triggered by things other than CCleaner, such as malware or system crashes, errors, glitches, and memory errors.

High temperatures also cause malfunctions.

 

CCleaner would only designate the "kill zone" and launch the process if :-

the "kill zone" had been manually configured and

it was launched upon manual command or by a manually setup automatic, such as on startup or via Windows Scheduling service.

 

What were the exact drive and path details for these two folders,

and which folder was attacked at which time,

and how do you know to a precision of one minute the time of wiping ?

Do the system Event logs not show any significant events at these times ?

[login123]

Hi, Queenie1946. If this situation is at all "forensic" in nature, may I suggest that you send a pm to one of the site admins. They can help more than members or even moderators, who are volunteers. Not cutting you short, just a suggestion.

 

See also this thread, close in time to your event: http://forum.pirifor...showtopic=33804

 

If it is instead a case of losing some personal files, please forgive my intrusion.

[Guest Keatah]

I think that CCleaner only uses the APIs that are incorporated within Windows for such things as defragging and wiping / erasing.

These APIs could be triggered by things other than CCleaner, such as malware or system crashes, errors, glitches, and memory errors.

 

What sort of defragging operations does CCleaner do?

[Alan_B]

 

What sort of defragging operations does CCleaner do?

None at all - that is the realm of Defraggler.

I rarely defrag.

 

I will leave it to defrag disciples in the Defraggler forum to explain their religion

[Queenie1946]

The OSs we use are all Windows Ultimate (x64). The system consists of a network of 6 computers: 2 Towers who serve as main data storage and backup system respectively with 4 notebooks tied into the network. Although all systems can access the data HDDs (2 TB Caviar Black 64MB Cache each), altering the data must be done from the main tower; read-only restrictions apply to prevent data loss. The backup system in the secondary tower consists of clones of the HDDs from the main tower. The two towers have an almost identical configuration (differences being specific software installed for specific hardware): one 2 TB HDD for the OS and four 2 TB HDDs for the data. The entire network is protected by UPS systems and power surge protectors.

 

We believe virusses and malware can be ruled out; Avast Internet Security, Microsoft Defender, Microsoft Security Essentials and Malwarebytes' Anti-Malware take care of that. All six systems use these four programmes and nothing was detected. These four programmes monitor all activity on a real-time basis.

 

One of the data HDDs is used for active projects (and this HDD has its own clone on the secondary tower), while the other three data HDDs are used for archived projects (again with a clone on the second tower). The data was erased from the second data archieve HDD (although we don't use the archive attribute on the files or directories) on the main tower, the backup clone was intact.

 

Since nobody accessed this data anymore, we could determine the moment of wipe from the last time the folders in question were altered; that was 14 September 2011 at 16.45 and 16.46 CET.

 

There were no errors reported and no crashes occured. CCleaner is not set to operate on these HDDs either as this would be pointless due to their nataure of serving as data archive. The systems are set to take action in case the temperature reaches certain levels; no such action had been undertaken.

 

We don't use any kind of scheduled task, not even for cloning purposes. CCleaner was not running on any of the six computers at the moment. No event was recorded in any log. The entire network remains operations 24/7, nothing special happened that afternoon. The only thing that did happen was a router reset early that morning which became necessary after some routine windows updates.

 

Of course, we don't know whether the problem is actually caused by CCleaner, this is just Microsoft's best guess (and ours).

 

Thanks.

[Augeas]

I don't know what happened and, at a distance, it's very difficult to even guess, this is a fairly complex system setup. I can't see how CC could have done this. It would have had to start up on its own, change its Include configuration to reference a specific folder on an archive disk in a computer it doesn't know exists, run, clear up the evidence and close. I'm not trying to protect CC, this behaviour - or this almost impossible to believe behaviour - applies to all other applications as well.

[redhawk]

The contents consisted of various video files (.avi format).

Which folders were the videos stored??

 

We checked with Recuva, and could determine that the files were wiped and subsequently overwritten

How did check your files i.e. recover and unable to playback??

 

Have you tried chkdsk yet??

 

Richard S.

[Alan_B]

We believe virusses and malware can be ruled out; Avast Internet Security, Microsoft Defender, Microsoft Security Essentials and Malwarebytes' Anti-Malware take care of that. All six systems use these four programmes and nothing was detected. These four programmes monitor all activity on a real-time basis.

Are you sure this is safe ?

 

Experts generally recommend to avoid more than one real-time A.V. product plus perhaps an on-demand scanner.

If you have four real-time A.V. products giving simultaneous real-time protection you might be pushing the boundaries.

Perhaps they had a conflict.

 

You said "read-only restrictions apply to prevent data loss".

I assume this is supposed to protect against destruction by anything other than the Main Tower.

My experience is that Norton A.V. has excessive authority, and adds its own files and folders within System Volume Information on every accessible NTFS partition.

Generally I believe any effective A.V. product can delete most system files,

and in fact in recent years bad signature updates have caused massive destruction of system and application files as they acted on signature "false positives" and chose to destroy and not quarantine.

Is it possible that one of the computers other than the Main Tower saw a virus and acted ?

 

Incidentally I believe Reparse Points may be given Access Control List restrictions to permit read and prohibit delete.

On XP I found that CACLS could be used to allow me to choose what permissions I wanted,

and there were about 2 dozen types of access to choose from.

Windows 7 is unlikely to be less complex.

I have seen bug reports that suggest that a destination of a restricted reparse point may be protected against deletion but NOT against SECURE deletion.

Therefore any of the Read Restricted computers that is unable to delete the files might still use any chosen tool to SECURE delete them.

[hazelnut]

Just wondering how all 6 of your systems can use Windows Defender and MSE because the install of Microsoft Security Essentials automatically turns Defender off

 

http://answers.micro...4a-6afaea010f49

[Alan_B]

We checked with Recuva, and could determine that the files were wiped and subsequently overwritten as we only detected the problem on 22 September.

 

Questions

Did you mean subsequently or consequently?

 

i.e. Does Recuva show that the files were secure deleted and at a subsequent later time over-written by other files which could either remain or have also gone ?

or could something have simply deleted the files and at a later stage Free Space Wipe or an equivalent was performed ?