Jump to content

System Restore

GT500

By GT500
in General Chat

 Share

Recommended Posts

GT500

GT500

Posted
Posted

What if an option is added to empty the system restore after the scan? It could even prompt the user when the scan is done asking if they wanted to empty the system restore. Obviously such a thing would require translation for all of the languages that MBAM supports, but the feature doesn't have to be added right away. We could wait on translators to translate the necessary strings, and then add the feature.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Well I'm not apposed to adding the feature under the More Tools tab. However having it do this after a scan and clean would not be acceptable to the overall community as many are very afraid that something might happen to the system before a cleanup is finished and if the restore point is gone or it failed to restart and create a new one then all the old ones would be gone and they would not have a way to recover back in case they made some big mistake. Since the helper has no physical access to the system then taking extra cautions is prudent for that rare case where it might be needed.

As we all know there are often systems that require many scans or other tools to finish the cleanup process regardless of who's tool is used so a SR cleanup after an MB scan would not be advisable.

Link to post
Share on other sites
ShadowPuterDude

ShadowPuterDude

Posted
Posted

Though many AV/AS/AM applications will detect infected System Restore Points (SRP), they can not clean a SRP.

Quoting MS:

Although some antivirus programs may have the ability to work with files that have been compressed or stored in .zip or .cab file format, the System Restore feature does not permit these utilities to manipulate these files within the data store. The data store is protected for data integrity purposes, and the System Restore feature is the only method you can use to obtain access to the data store. Because of this, the antivirus program is unable to remove the virus from the file or files in the data store. The files in the data store are inactive and can be used only by the System Restore feature.
The _Restore folder is protected by default and prevents programs from using or manipulating the files that are within this folder. These files are inactive while in the data store and are not used by any utility other than System Restore.

The System Restore feature is not designed to detect or scan for virus infections or virus activity. Most computer virus infections seek or attack files with extensions such as .exe or .com. These are file types that the System Restore feature is designed to monitor.

This all go back to the days of Windows ME when SRP was first introduced.

Link to post
Share on other sites
GT500

GT500

Posted
  • Author
Posted
MBAM does what it does well, if someone wants to remove System Restore points they can do so if they have the knowledge to find where that is done. If they don't then all the more reason, it shouldn't be done by a malware removal tool.

I know I've mentioned this before, but I've seen infections in the past that would keep returning until the System Restore was emptied. Obviously that meant that there was something else there that was causing the infection to be restored, but a simple empty of the System Restore solved the issue.

Maybe it isn't wise to automatically empty the System Restore during a malware removal, but it also isn't wise to keep it intact, and restoring from an infected restore point just restores some of the malware that was removed. If there is system damage after a malware removal, then a repair install of Windows is always the best solution. I'll admit though that it's hard for the average user to do such a thing, but there is also no better way to replace the system files.

Link to post
Share on other sites
ShadowPuterDude

ShadowPuterDude

Posted
Posted
The _Restore folder is protected by default and prevents programs from using or manipulating the files that are within this folder. These files are inactive while in the data store and are not used by any utility other than System Restore.
Unless A system Restore is done from an infected Restore Point, there is no way the infection can be restored from that location.

Respawning malware is almost also caused by a load point that was not removed, during disinfection. That is why you should never rely solely on HJT for malware removal.

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted
I know I've mentioned this before, but I've seen infections in the past that would keep returning until the System Restore was emptied. Obviously that meant that there was something else there that was causing the infection to be restored, but a simple empty of the System Restore solved the issue.

Maybe it isn't wise to automatically empty the System Restore during a malware removal, but it also isn't wise to keep it intact, and restoring from an infected restore point just restores some of the malware that was removed. If there is system damage after a malware removal, then a repair install of Windows is always the best solution. I'll admit though that it's hard for the average user to do such a thing, but there is also no better way to replace the system files.

No one said it was wise to leave them in tact. The point is they are not removed before the system is clean and should not be removed by the anitmalware program. The only way there is going to be re-infection is if that infected restore point is used. There had to be another factor that was overlooked if the restore point wasn't used.

Re-infection is not uncommon with users who engage in risky behavior all the time or who do not have proper preventative measures or both of these circumstances exist. This is why during a HJT log analysis and system clean up we do education to prevent in the closing remarks. A good share of this stuff we see can be prevented, if the proper layers of protection are installed, the system is kept updated and risky behavior is changed.

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted
Ahhh, so a full scan will clean them as opposed to removing them - good point.

I am also assuming, then, that if not Malware is found then the SRPs are *not* removed, right?

MBAM does not remove SRP's and IMO it should never. I am fairly sure a full scan will clean, not positive though. I'll find out since this has come up it would be good to know. I can't think of any removal program, that is not a specialized tool that does remove the restore points. ComboFix does create a new restore point. But it should never be used without supervision.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

I agree with Jean. Don't really need it built-in to MB (not like it's rocket science to do manually)

Also agree that something was either missed in a parent process, or the user simply downloaded and re-infected their system right away, though not sure how or where they're visiting, as I visit a lot of sites for testing and at times it takes a long time with an unprotected system to get infected on purpose.

Link to post
Share on other sites
GT500

GT500

Posted
  • Author
Posted
The only way there is going to be re-infection is if that infected restore point is used. There had to be another factor that was overlooked if the restore point wasn't used.

I don't see how any other causes would have been affected by emptying the system restore. The instances where I've seen this were on computers where I had been physically working on them, and after a reboot one or more of the viruses that were removed had been restored. When I discovered the infections were still there, I disabled the system restore, re-ran the virus scans, and deleted the viruses again. They did not return after that.

Link to post
Share on other sites
ShadowPuterDude

ShadowPuterDude

Posted
Posted

There is absolutely no way an external program, can manipulate files within the data store. The only way for an infection to come back from a Restore Point is by doing a System Restore using the infected Restore Point.

If a System Restore is being done, it will be obvious to the user.

If an infection is respawning, it is because the user:

A) Failed to follow instructions.

B) A load point was not removed.

C) Unpatched Operating System

D) Old versions of Flash and/or Java in use.

E) The user is doing a System Restore, related to A.

F) The user is surfing and downloading, during the disinfection process.

Any one, or a combination of the above.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted
There is absolutely no way an external program, can manipulate files within the data store. The only way for an infection to come back from a Restore Point is by doing a System Restore using the infected Restore Point.

If a System Restore is being done, it will be obvious to the user.

If an infection is respawning, it is because the user:

A) Failed to follow instructions.

B) A load point was not removed.

C) Unpatched Operating System

D) Old versions of Flash and/or Java in use.

E) The user is doing a System Restore, related to A.

F) The user is surfing and downloading, during the disinfection process.

Any one, or a combination of the above.

Agreed. Unless someone spent the time to reverse engineer the process of SR (very unlikely) and was able to also decrypt it then I don't see how it could be used live to bring Malware back to life without invoking the SR process.

If anyone has fully documented, verifiable, and an easily duplicated process to prove otherwise, then I don't think it is possible for Malware to automatically restore itself and it has to be from one or more of the above mentioned processes if the user either is re-infected or continues to be infected.

The MAIN reason for having a user delete previous Restore Points is so that later on they don't use it for some type of recovery and then re-infect themselves with Malware, having forgotten that it was there.

.

Link to post
Share on other sites
GT500

GT500

Posted
  • Author
Posted
If an infection is respawning, it is because the user:

A) Failed to follow instructions.

:P A load point was not removed.

C) Unpatched Operating System

D) Old versions of Flash and/or Java in use.

E) The user is doing a System Restore, related to A.

F) The user is surfing and downloading, during the disinfection process.

Any one, or a combination of the above.

Not possible. In most cases that I remember, the user had not touched the computer. No other cause was possible. It happened while I still had the computer, and while I was still working on it. Emptying the System Restore solved the issue.

Edit: These infections were all encountered 3-4 years ago, so none of them are still in the wild. It's possible that whatever flaw they used back then has long since been fixed.

Link to post
Share on other sites
ShadowPuterDude

ShadowPuterDude

Posted
Posted

Once again.

The _Restore folder is protected by default and prevents programs from using or manipulating the files that are within this folder. These files are inactive while in the data store and are not used by any utility other than System Restore.
Nothing other than System Restore can manipulate the files in the _Restore folder. They are protected and only can be accessed by System Restore.

If Malware is executing a System Restore, it will be painfully obvious.

When load points are not removed, it is because something prevented the removal. In other words an active Malware process prevented the removal of the load point, or some protection application prevented it's removal. In either case the Malware respawns at reboot. There have been times that I have instructed to user to just unplug the computer instead of shutting down cleanly. This is rare, that I do this, but it breaks the load point and the Malware doesn't respawn.

Link to post
Share on other sites
GT500

GT500

Posted
  • Author
Posted
Once again.Nothing other than System Restore can manipulate the files in the _Restore folder. They are protected and only can be accessed by System Restore.

You really believe that something designed by Microsoft cannot be exploited?

When load points are not removed, it is because something prevented the removal. In other words an active Malware process prevented the removal of the load point, or some protection application prevented it's removal. In either case the Malware respawns at reboot. There have been times that I have instructed to user to just unplug the computer instead of shutting down cleanly. This is rare, that I do this, but it breaks the load point and the Malware doesn't respawn.

So if the load point was not removed the first time I ran the virus scan in Safe Mode, and it restored when I rebooted, why did it not do it after I purged the System Restore and re-ran the virus scan with the same AV and the same database version? If the System Restore cannot be exploited, then why did purging it solve the issue? Once again, remember that I was not walking a user through removal, I was doing it on my own without the user being present.

Link to post
Share on other sites
ShadowPuterDude

ShadowPuterDude

Posted
Posted

The only known weakness in System Restore was with the permissions of the subfolders in the 'System Volume Information' directory. The weakness would allow for and unprivileged user, who had sufficient knowledge, to view the contents of the subfolders.

This had to be done locally, and was fixed in Windows XP SP1.

If you kept seeing infections 'respawning' after reboots, and only disappeared after clearing the restore points; then the Restore Point itself was infected. There is absolutely no Anti-Virus, Anti-Malware, Anti-Spyware application that can clean an infected restore point.

The data store is explicitly protected and the files in the data store can only be manipulated by System Restore.

Link to post
Share on other sites
GT500

GT500

Posted
  • Author
Posted
There is absolutely no Anti-Virus, Anti-Malware, Anti-Spyware application that can clean an infected restore point.

Doesn't every tech know that?

The data store is explicitly protected ...

So are Windows system files.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

While it may be theoretically possible, performing a SR is not silent by using normal Windows API/WMI calls to do it. I suppose it might be possible to code and write your own silent method if one was advanced enough in programming, but then that would be similar to the previously undetected
Win32.Ntldrbot (aka Rustock.C)
in that so far I know of no known published data on anyone doing so (if you or anyone else does and can share a URL to the information that would be appreciated). It would be a lot of programming work that I just don't see the advantage of using that method when they can already create and hide processes from the native Windows API code.

As with any similar claims, one needs to provide verifiable evidence to prove that SR is being silently manipulated by Malware, otherwise it is just hearsay, that the current understanding of how the SR process works does not allow.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Is it possible to update the actual installer file so that when the properties are viewed it will show the current version. I have many versions of the setup file but all of them say 1.0

It would make testing and updating much easier and faster if I can easily look at the installer version number and know that it was the same version that it would install.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.