receiving Symantec virus detection on c:\system volume information/_restore (......), Is symantec server failing to restore information or is there a real threat?

receiving Symantec virus detection on c:\system volume information/_restore (......), Is symantec server failing to restore information or is there a real threat?
This is showing up in Symantec Endpoint Protection report for clients.
There are 7 different references on the same issue and client.
HPLDITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas Zucker-ScharffSolution GuideCommented:
Looks to me like your system restore points have infections.  You can NOT clean these since they are protected files (no matter what the software says).  The only way to clean them is to disable System Restore (this should delete them), then run a full scan to be sure.  

NOTE that disabling System restore deletes all your restore points.  Be sure you are able to shutdown and reboot before disabling System Restore.  See the article here about disabling System Restore and pay special attention to the other article referenced in the first paragraph.  (this article was written with XP in mind)

http://www.experts-exchange.com/articles/OS/Microsoft_Operating_Systems/Windows/XP/Removing-protected-System-Restore-files-if-they-have-been-infected.html
0
uescompCommented:
I would try using a freeware program to scan your client workstations, malwarebytes is a great program to use in these types of situations.  The program is free and can be found here:

www.malwarebytes.org

Make sure you get all the updates before running a full system scan
0
DooDahCommented:


WebrootSpySweeperW/Antivirus very preventative based on SOPHOS, works with Symantec.

What I like about WebrootSpySweeperW/Antivirus is that it cleans Viruses/Malware and flags websites (intercepts the website's attempt to re-infect) in REAL-TIME.    Find it at; http://www.advmolink.com

WebrootSpySweeperW/Antivirus is the cheapest way to get the SOPHOS Antivirus Engine protection on your computer updated several times a day. ( http://www.advmolink.com )

There is current a $10.00 OFF coupon for WebrootSpySweeperW/Antivirus on the SIDE SCROLL at   http://www.advmolink.com

0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

HPLDITAuthor Commented:
I would suggest you try booting to safe mode.  Then change the folder view options to uncheck "hide extensions for known file types" and "hide protected Operating System files (recommended)".  then you should be able to scan the restore directory and quarantine or delete the infected files.  In fact, your error messages should give you a file name at the end, which is most likely consistent.  You can do a search for this filename specifically to see its locations on your drive and to quarantine it.

A second option as mentioned above would be to get rid of the restore files - they are probably unusable as they may be infected.  But I disagree that it is the only option.  Even free AV programs like Avast have been able to successfully clean infected restore files using the described method.  Of course, your mileage may vary.  
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas Zucker-ScharffSolution GuideCommented:
?  It sounds like you are answering your own question as another person??????

I am interested in your assessment as I have never been able to actually clean system restore points with any software.  I have not tried your method and will do so the next time I run into an infected SR (which wont be too long as this is pretty much what I've done for over 15yrs).
0
HPLDITAuthor Commented:
Yes, I guess I am coming back to answer my own question.  Guess I should have researched a little before posting the question.  I will not say that this method will work every time, but it worked for me.
0
Thomas Zucker-ScharffSolution GuideCommented:
I'm glad you found an answer!  I'm glad this worked for you.  I will definitely try it.  

You should accept your own answer as the solution to close this question.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.