receiving Symantec virus detection on c:\system volume information/_restore (......), Is symantec server failing to restore information or is there a real threat?

receiving Symantec virus detection on c:\system volume information/_restore (......), Is symantec server failing to restore information or is there a real threat?
This is showing up in Symantec Endpoint Protection report for clients.
There are 7 different references on the same issue and client.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

HPLDITConnect With a Mentor Author Commented:
I would suggest you try booting to safe mode.  Then change the folder view options to uncheck "hide extensions for known file types" and "hide protected Operating System files (recommended)".  then you should be able to scan the restore directory and quarantine or delete the infected files.  In fact, your error messages should give you a file name at the end, which is most likely consistent.  You can do a search for this filename specifically to see its locations on your drive and to quarantine it.

A second option as mentioned above would be to get rid of the restore files - they are probably unusable as they may be infected.  But I disagree that it is the only option.  Even free AV programs like Avast have been able to successfully clean infected restore files using the described method.  Of course, your mileage may vary.  
Thomas Zucker-ScharffSystems AnalystCommented:
Looks to me like your system restore points have infections.  You can NOT clean these since they are protected files (no matter what the software says).  The only way to clean them is to disable System Restore (this should delete them), then run a full scan to be sure.  

NOTE that disabling System restore deletes all your restore points.  Be sure you are able to shutdown and reboot before disabling System Restore.  See the article here about disabling System Restore and pay special attention to the other article referenced in the first paragraph.  (this article was written with XP in mind)
I would try using a freeware program to scan your client workstations, malwarebytes is a great program to use in these types of situations.  The program is free and can be found here:

Make sure you get all the updates before running a full system scan
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!


WebrootSpySweeperW/Antivirus very preventative based on SOPHOS, works with Symantec.

What I like about WebrootSpySweeperW/Antivirus is that it cleans Viruses/Malware and flags websites (intercepts the website's attempt to re-infect) in REAL-TIME.    Find it at;

WebrootSpySweeperW/Antivirus is the cheapest way to get the SOPHOS Antivirus Engine protection on your computer updated several times a day. ( )

There is current a $10.00 OFF coupon for WebrootSpySweeperW/Antivirus on the SIDE SCROLL at

Thomas Zucker-ScharffSystems AnalystCommented:
?  It sounds like you are answering your own question as another person??????

I am interested in your assessment as I have never been able to actually clean system restore points with any software.  I have not tried your method and will do so the next time I run into an infected SR (which wont be too long as this is pretty much what I've done for over 15yrs).
HPLDITAuthor Commented:
Yes, I guess I am coming back to answer my own question.  Guess I should have researched a little before posting the question.  I will not say that this method will work every time, but it worked for me.
Thomas Zucker-ScharffSystems AnalystCommented:
I'm glad you found an answer!  I'm glad this worked for you.  I will definitely try it.  

You should accept your own answer as the solution to close this question.
All Courses

From novice to tech pro — start learning today.