System Restore - Know how

Version 2

    What is system restore?

    System restore was a new feature that was first introduced in Windows ME. This enables the Operating system to capture or make copies of critical windows files and registry settings before any changes are performed on them.

     

    For example: If a Driver is being updated, Windows saves a copy of the old files before upgrading the new ones. In case something goes wrong after the installation, the system can be booted into safe mode and a system restore can be performed to revert back to the point before the driver installation.

     

    How often are System restore points created?

    Restore points are created automatically every day, and just before significant system events, such as the installation of a program or device driver. You can also create a restore point manually.

     

    How can a virus affect System Restore?

                Becauseof the fairly simplistic methods used by System Restore to maintain shadowcopies of files, it can end up archiving malware infected files. This allows the malware to remain resident on the disk. System Restore folders areprotected by the Operating system and antivirus products cannot remove Malwareinfections from these folders. This Malware can then re-infect the system atwill.

    What do you do in case your anti-virus program detects a malware infection?

    1.      Firstly, ensure that McAfeeanti-virus is updated to the latest DAT and Engine versions.

    2.      Run a full scan on the machine (do not exclude any files and folders). Clean/delete all infections using the Antivirus scanner.

    3.      Next, ensure that there are no further infections by running a second scan if required. If you notice any infections disable the system restore functionality using the steps provide in the following document http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.h tm.

    This will ensure that all files locked by the Operating system within the system restore folder are deleted. Reboot the machine and re-run the scan.

     

    You may also see Malware notifications on a folder with the name _restore, thisfolder is a part of the system restore process and Antivirus scanners cannotmake modifications to this folder. In this case ensure that you disable theSystem Restore functionality to clean the malware.

    4.      Once you determine that the system is clean enable System Restore, and create a manual restore point to ensure that you have a point to go back to in case of any other problems.