VIRUSES ? Recuva Data Restore

[Daxlinked]

I restored my computer and in the process broke-up the RAID 1 array when I got malware attacked. Now, I intend to recover one of the drives that use to be part of the array; recuva says 126,073 files exist on the volume I picked as it was never written to (the other array drive has been written to). That is a bit high but the virus probably replicated itself many times.

 

So, here is the key question: If Recuva recovers the files, will the virus execute itself in the process? I have Norton Security Suite and Malwarebytes – both fully updated; accordingly, can I run them, before the recovery, inside the 126,073 files Recuva found - and if so how? Thank you!

[Augeas]

Are you recovering deleted or non-deleted files? At a wild guess, Recuva will copy the deleted files to your desired recovery area with no problems, it will not execute any of the files. I would hope that your anti-virus would complain bitterly when any infected files are written, or attempted to be written, by Recuva. If not then write to wherever and then scan that folder. Well, I'd do that anyway.

[Daxlinked]

Augeas - Technically, I'm not sure what happens when you break a RAID array - either the FAT is disassociated from the files or not - files are either formatted or deleted.

 

In any case - as I noted, I see my 126,073 files with Recuva.... But the key question remains: will restoring my files with Recuva cause .exe and other executable files to launch? And, can I pre-scan the files for viruses inside of Recuva before recovery? And, thank you - of course, I am going to do all the security basics once the files are readable and writable. Thanx!

[Guest Keatah]

Well, Recuva isn't going to launch any of the recovered files.

[Alan_B]

Technically, I'm not sure what happens when you break a RAID array - either the FAT is disassociated from the files or not

I have no experience of RAID, but I always assumed it used NTFS and not FAT or FAT32

[TheWebAtom]

I have no experience of RAID, but I always assumed it used NTFS and not FAT or FAT32

 

It can be either.

 

To answer the question; no: Recuva won't attempt to execute any files it recovers.

[Daxlinked]

Shane -

 

Thanx! I assume, since you didn’t speak about it, that I cannot somehow run Norton Anti-Virus or Malwarebytes scans inside the files Recuva found, and that Piriform does not have an anti-virus product that works hand-in-hand with Recuva. That is too bad.

 

Thanx everyone for the help – we can close this thread.

 

Dax

[Guest Keatah]

Before we close it. The way Recuva (and many other data recovery programs) works is to "undelete" and recover your files to a user-specified directory. Ok. Then after that is done, you use your mal-ware scanner anti-virus utility to look at those freshly recovered files. This is a common practice.

 

IMO, to integrate a virus scanner and a recovery program such as Recuva would give marginal improvements/benefits at best, but at significant increase in user interface complexity.

 

It is best to keep the two functions (recovery and virus scanning) separate. Always been this way.

 

Furthermore, the folks the built Recuva are experts in retrieving files. Let them continue to work on that.

The folks that built Microsoft Security Essentials are experts in scanning for viruses and mal-ware. Let them work on that exclusively too.

[Nergal]

those files don't exist thus nothing can virus-scan them. The things you see in recuva are ghosts, the virus scanning will have to occur after recovery.

 

was this striped raid or mirrored?