Viruses in the System Volume Information (System Restore).

rpg - Thank you a million times!
I am going to link this Article about 15 times a day. So many of our contributing Experts have been taught wrong about this whole idea, and you have set them straight!
(If I could figure the formating on this site, I would bold this whole response.)
Excellent work!

I disagree, we have disable system restore because of its inability to perform as expected. Also because Symantec recommends that system restore be turned off. It uses valuable resources on the PC and I've never had it fix anything.

CohKarlHaskins:
Please go back and read through the Article again.
The exact recommendation by rpggamergirl is what any System Technician should be doing.
Under no circumstances should any of us rely on one source (your Symantec reference), rather we should do some research and - based on our own practical experience - make a decision.

I still stand behind what I said. I have no faith in system restore. I am MCP with over 15 years experience. I support a large corporate enviroment with over 4000 computers. You can do what you want, I can disagree if I want. No one is wrong here.

Hi CohKarlHaskins

I do use System Restore, along with a lot of other people (I would imagine).

Fortunately I have not had to use it because of a virus, but have definitely used it and thought it was a life saver.  At the time, I was wondering what would happen if it already contained some kind of corruption (like a virus) and this Article works for me.

Seeing as you have disabled system restore and dont use it, then this Article is pretty moot for you. Mainly because it isn't about the benefits or otherwise of system restore, more so, what to do in the advent of a virus in there...

Interestingly, you have indeed aroused my interests. Maybe System Restore can cause more pain than good, and there are good options or alternatives to help restore systems. While this might not be the right thread to discuss that, it does sound like it would make for a great Article from you.

So putting on my Page Editor hat, and being opportunistic, can we entice / encourage you to write an Article about System restore, the pain it can cause, and any alternatives ?

System Restore is a bad idea in a corporate environment.
1.      System Restore gives a false sense of security
o      System Restore does not protect the PC from viruses, spyware or malware.
o      The main purpose is to protect against software conflicts and bad device drivers. (A trained PC tech can fix these issues without a canned solution).
o      System Restore works better if there are no restore points set between the restore point you want to use.
o      System Restore works best if the restore point is used before any other changes are made to the computer.
o      System Restore can use up valuable disk space.
o      Users can change the settings without being a local administrator.
2.      System Restore can backup and restore virus infections on the computer.
o      Ive experienced this first hand with one of our power users
3.      System Restore process occupies valuable system resources.
o      I have disabled System Restore on slow systems to speed them up.
o      I have disable System Restore to recover disk space.
4.      There are issues with using System Restore with domain membership.
5.      System Restore can cause the dreaded Procedure Entry Point error. (This is the show stopper as the system will need to be reimaged once this happens)


Now, I'm not saying that it is worthless. I'm just saying that I can't put any faith it System Restore's ability to recover a system in the environment I work in. We train our new techs to operate as if there is no System Recovery utility and it works for us.

I voted yes above.  This is an excellent article and I thank you for writing it.  I wrote an article on how to disable.reenable System REstore in a more step by step (tutorial) method.  I linked to your article in the first paragraph since you explain what System Restore is so well.

My article can be found here:

http://www.experts-exchange.com/articles/OS/Microsoft_Operating_Systems/Windows/XP/Removing-protected-System-Restore-files-if-they-have-been-infected.html

A couple of points here...

(1) The position advocated by several MS MVP's is also MS's position, no doubt they have a vested interest here too. I wouldn't like to develop a mechanism that claims to provide system recovery and then have other people trying to discredit it. In my opinion, SR works well and cannot be discredited. It is a valuable part of the Windows operating system. It may not be the *only* mechanism by which you can address system corruption issues, it may not be the *best*, it may not be *perfect*, but it is a great improvement over the Win98 and 95 days, isn't it? I've used it several times and I've come to rely on it as my preferred option if it's viable.

(2) Symantec has a long history of producing products that protect the user and help the user in times of trouble. And they would also understandablly react to someone moving in on their turf, but MS isn't the only alternative to Symantec products, are they? I imagine that other products also try to convince the user that they are the be all and end all of system recovery. It's a standard product marketing agenda, that's understandable too.

(3) To be fair to MS, it is their operating system, and they're best placed to recover your corrupt system. Why should they sit by and watch someone else enter their jurisdiction and begin to clean up the streets. Some would argue that MS is unfairly advantaged and that it should be limited in how integrated its operating system is, but I would think that system recovery is something you would like to take for granted from a mature operating system.

My conclusion, if you use MS, and MS work well, and the MS components in question come at no added cost, then why switch to another product unless there is a vested interest, or for research purposes, or personal preference. If it is out of personal preference, then let's not try to imply that "it doesn't work properly" or something like that. Apart from the cost of MS products, they're generally good products that many people can and should safely rely on, and Windows is still the preferred OS even for many "experts" including myself.

rpggamergirl, I voted yes, good article, and thank you for your effort.

Thanks for the article and time to write it.  Especially for stating the issues and your point so well.  It is one I agree with.  I have to admit at times I do completely disable System Restore and have relied on other methods for recovering.  I can understand that point made by one of the others.  To me this article isn't for those cases or that audience though.  It does help me for those machines or cases where I do have System Restore active and that machine gets infected.  Thanks for clearly expressing your recommendation and for the explanation of it.  It makes sense now although I will admit in the past I have followed the other advise, partially because I was afraid it would make cleaning harder.

bol

Voted Yes.

Good article.
- Useful advice on when to clear restore points - irrespective of whether a virus has even been in the equation or not, that is almost a side issue.

Keith

When I do use windows xp in boot camp or in a virtual machine or even on a normal pc I refuse to use system restore as a backup plan / method / route.

I do a clean fresh install - ascertain which drivers the computer needs ( chipset, video / audio etc ) and install all of them doing the chipset first, then latest network card, latest audio etc

Disable and delete and restore points etc

Then I install any software I require whether it be open office, microsoft office, gimp and the likes ie anti virus, anti spyware , possibly a software firewall ie free zone alarm.

Then I would use something like acronis true image, norton ghost, bacula or something similiar and make an image of the system to either a dvd set or an external hard drive ( preferably an ext hdd ) from there I store all my data on another hard drive / storage pool - preferably somewhere that has raid even if its an external Lacie RAID 1 hdd or else where similiar that way if I need to re install windows then I can use the dvd set or ext hdd to re image the computer.

All the data I had is safe assuming when you go through the installation process you have the ext hdd dis connected so you dont accidentally format it and then the computer will be re imaged and all your data safe because your data is still on the ext hard drive or other hard drive that has nothing to do with the system drive ( C: ) or wherever you installed windows as you keep it seperate.

gecko,

Your method is one of the best.  Unfortunately, most people don't have the wherewithal (sp?) or technical expertise to do it that way.  I've set up many systems and cleaned many more.  Most of the time users don't have backups and the data, apps and OS are on the same partition.  If they have a default Windows setup then System Restore is enabled and in turn their best backup solution.  Once they leave my office they have a different view of backup and some new software.  I also tell them pretty much the best way to go about configuring their computer is as you have described.  

On the off hand that they have had a malware problem (usually why they come to me), My LAST step is to disable SR, thereby deleting all their restore points and any problems that may be reintroduced later on.  I use the procedure I outlined above to make sure that any malware on the machine doesn't leave my office.  (you'd be surprised how often people reinfect their machines with system restore)

Thanks for your comments.

I'm surprised that the way IT has gone they have not come up with an all in one raid 1 -  256 gig drive that has 2  hard drives ( Laptop hard drives ) so that you could have that installed on the 2nd channel whether SATA OR PATA and re direct my documents to that partition and make it policy to store data on that partition and if they wanted have group policy or volume shadow copy keep a backup of it assuming the network connection is fast enough  and disable system restore completely and have some software as per mentioned above acronis, ghost or what ever software supports it that would on shutdown reboot into dos or its own util that would do an image of the main drive to the other drive so if it did go sunny side up then you could replace the main drive and boot into the util and get it to restore the OS at its last capture point and all the apps / data would still be there and obviously if one of the laptop drives died you just replace it and it would copy the data to the other drive.

That way users data are backed up on each pc locally as well as backed up on the server centrally via tape or nas or w/e

One of the firts things I do with my corporate and personal computers was to disable the System restore, when something say earlier, it give a false sence of security, im the domain admin, and one of my first domain plicys was the "system restore : disable"

I prefer to format the corrupt or infecter computers, almost all time it taker fewer time in comparation to time invested to solve "extrange" problems...

Im a good problem solver, and resolve a lot of issues with PCs and Servers, but with PC's if pass 30 mins with any idea of the problem, i give the PC to my support personal to format it... with server all time solve the issues, some times with ideas taked here, or with the good friend google =)

aka re imaging the computer whether it be via WDS, RIS, Sysprep, ghost, acronis true image, FOG , clone zilla or otherwise

Thanks for the clarification of this post just picked up on this comment

"She CLEARLY stated NOT to delete Restore Points before attempting spyware removal because if something goes wrong there's no way to reverse your actions. Yes you would want to delete those restore points but the time to do it is later, not while in the process of cleaning the system."

=============================
I got to the point with viruses / spyware where if the computer is infected and I did delete system restore points and it would not boot up ( depending on the error you get ( BSOD ) then you may be able to replace the relevant items from the recovery folder ) but if it refuses to startup then I use a linux live disc such as knoppix or bart pe or a win pe disc ( there are other discs available ie ultimate boot disc )  to backup any data and format and re install the OS along with drivers and software which is always a good thing because you get

1. A fresh install so you know you have completely wiped out the problems ( viruses / spyware / maleware etc )

2. You get up to date drivers

3. When you install the software all the software will be updated along with the OS updates depending on if you run windows updates or if you already have an up to date installation disc with all updates previously slip streamed.

4. Although this may take a bit longer then just repairing it there still may be left overs that have been missed and although its stopped the computer from being slow or whatever the signs were a fresh install is a lot easier and safer bet of getting rid of a computer riddled with viruses / malware etc

5. Yes I never thought of doing it that way around with ref to disabling system restore last but I have had a few cases where I have ran the virus scan ( different anti virus solutions / apps ) and it still stated that the computer was infected ( all definitions were up to date at that point in time ) , in the end the user had copied all there data to an external hard drive which was scanned for viruses / malware and turned out to be clean so we disabled system restore and re ran the scan and that seemed to resolve the issue.

I don't use windows or do any of that now - at least for the time being, would be nice to get back into the IT support realm of work again but currently need to get more qualifications so will be working on that.

Also learning more about the apple mac platform / BSD / *NIX so sort of given up on the windows platform with all the problems and have to x, y and z to keep it running , not to say other operating systems are better as they all have there pros and cons.

Anyway back to the system restore article and enough said about other ways of doing things.

I may consider doing a few articles later on.

I also disagree, especially since Conficker (downadup) resets the system restore points, it's unreasonable to assume other Viri don't or haven't done this in the past (which they have)
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker (payload section)
System restore does act silently if vital/critical system files have been altered, and no action from the user is prompted, the files are replaced. Also if one BSOD's, or somehow comes to the "use last known good configuration screen" the restore point it being accessed and used. I've seen this a few times, the viri are not as "dormant" as the article leads people to believe.
I think it's a judgment call to delete the restore points before or after infection, I'm of the opposite opinion of the article on the side of AV vendors, disable before cleaning. Perhaps our Xp and Vista setups are different than yours, but users who have sys restore enabled in our environments get reinfected over and over with the same viri unless there is a patch that directly stops them, or they are not an administrator.
-rich

It has been my experience that when this particular version of conficker attacks the reset of the System Restore is merely deleting all your restore points, YMMV.  I have yet to have a real problem in which System Restore points have infected a computer without being used.  Although I am not familiar with System Restore working in the way you suggest I could imagine it to be the case.  In the end it doesn't really make a difference since I believe "having an infected restore point is better than having none at all" is a truism.  My last step in cleaning a computer is always to disable and then reenable system restore thereby deleting all old restore points anyway.  

I agree with rpggamergirl in her very adept analysis of this.

That's sort of what I was getting at... I think it goes both ways. If you have no restore points, and it's not easy for the average user to tell, then you won't have a restore point to fall back on should the removal mess something up. Downadup/Conficker has been around 2-3 years now, if a user has had the infection long enough and installed their patches/sp's or even other software that sets a restore point before installing, then conficker does get "backed up" in the restore point. When a restore is done from a conficker infected restore point, upon conficker execution that restore point is gone again often leading to even more OS instability than before restoring to the infected rp. It's not limited to conficker, but it's a fine example.
Our company has had mixed success with system restore (infected or not) so we probably are more biased against it, as for us it's been more headache than blessing, YMMV etc..
So my point is not to argue if having a infected restore point is better than none, it's that you might not have one at all, esp if you catch the infection quickly. I think deleting before or after depends on what you have been infected with, it might be better to err on rpg's side, even if there is no restore point to go back to. I'm more of a LUA advocate than anything else.
-rich

In which case I agree with what you say as we have many users who (by default) have SR enabled and don't have the slightest idea it's there until they get something for which they need to call me.  Generally I don't use restore points and tend to lean toward reimaging a system completely rather than wasting time trying to delouse it and finding out down the road that something was still left and it's infected again.  I also use Microsoft's SteadyState on computers (excellent software) which puts the system back in the exact state you left it in when you installed SS after every reboot.  This is of course not for those users who save a lot of files to their hardrives or make significant changes to local drives.

I don't pretend to speak for the author of this piece, but one of the reasons for writing it may have been to combat an increased incidence of certain advice here on EE. We had several new experts start telling ALL Members to ALWAYS start their disinfecting procedures by deleting all Restore Points.

Obviously, that is not always the right decision for everyone.

The vast majority of people asking those questions here on EE are one/two computer home users with very limited IT skills. Having a Restore Point to fall back to (infected or not) is a viable way of getting them back up and running again.

>>We had several new experts start telling ALL Members to ALWAYS start their disinfecting procedures >>by deleting all Restore Points.

I think I was guilty of this to start with and at the time did not realise that they were starter users and personally the way I do it with a boot disc ( bart pe, linux live disc or the likes ) and recover data that way and then just do a fresh install.

Appologies to anyone If I did do that !!

gecko_au2003:
I don't remember seeing you do that and I tend to keep a pretty close eye on the Zones.

Quite honestly, I miss the old days when (by regulation) any infected box had the HDD removed and destroyed, with an image loaded on a new HDD - about a 15 minute job.

Now my customers have no image, no backup, (no common sense - LOL), and they pay me by the hour to grind out their data (MY BABY/WEDDING PICTURES ARE GONE!) and 'repair' their systems.

Oh well, at least it keeps me in beer money.

Perfect. Voted yes.

In a work enviroment I think its a case of all data goes to your network drive ( home area or whatever you want to call it for arguments sakes ) and if anything like that happens its a case of a re image or swapping hard drives and re image / re install as you mention above.

lol @ beer money, free as in beer I take it.