Most users
are probably familiar with Windows System Restore and have probably fallen back
on it on many occasions. For those of you unfamiliar with this feature, System
Restore is a Windows utility that periodically saves changes made to the system
and allows users to roll back the system to its previous state in the event of
PC instability or program failures. The best part of System Restore is that it
does not change any of the user files, such as Word documents or pictures. The
program only rolls back things like changes made to the Registry, installed or
uninstalled programs and Windows Updates.
However, in
cases where the system is infected, System Restore might also be affected by
infected system files and viruses. Being that System Restore monitors all
Operating System files, installed programs and Windows registry settings, changes
made to said components by an infection would also be backed up. Windows makes restore
points automatically and does not check for any infection or malware present on
your system. By design, the System Restore function doesn't allow any other
program to handle files stored in the Restore folder. Virus removal programs
such as Symantec have trouble clearing infected files from the System Restore folder.
For example, in a system I recently repaired, a Kaspersky scan continued to show
Trojan files trapped in files that begin with “C:\System Volume
Information\_restore…”
While the internet
can be a virtually endless wealth of information, it can also breed
misinformation and half-cocked rumors. To that effect, many self-proclaimed
technicians are under the impression that viruses in the System Restore will
creep out of that folder and re-infect the system after an infection has been
removed. The fact is, viruses in that folder are dormant and more or less
harmless. They do not usually do anything while in that folder until a user
activates said infected restore points by using them.
So the fact
remains that these files should be removed, but not until after the system has
been repaired and confirmed repaired so that System Restore can still be used
for exactly what it was meant to be used for. Technicians are human beings, and
human beings make mistakes. That's where System Restore comes in. This means
that a blanket statement that you should always delete restore points may be a
little excessive. Whether you should or not, depends on the infection, the time
it occurred and whether system files were clean at the time the restore points were
made.
All of these
things considered reaffirms my emphasis on a reliable backup routine. Many
enterprise environments don't even bother with removing infections - they just
restore the user to the most recent backup. This is also where Roaming Profiles (aka User
Redirect) come into play. But that's all for another article...