system restore & virus

[Husky]

Just a question in case it does happen. I have maybe 6-7 months of restore
points currently and perfectly happy with all of them.

But something I've been reading here. If you get a virus there seems to be some
sort of opinion to delete all previous restore points if the virus is found
inside a protected restore point folder.

Wouldn't it make more sense that when you find a virus, if there's any doubt to
whether it was cleaned or not, to restore the system one restore point prior to
the virus ?

 

[Modem Ani]

XP does not keep restore points older than 90 days (and for good reason.)

Modem Ani

 

[Husky]

XP does not keep restore points older than 90 days (and for good reason.)

You'll have to take that up with M$. I have restore points all the way back to
6 November.

6 months back. Maybe it has more to do with available disc space, than dates.

 

[Modem Ani]

By default, System Restore purges restore points older than 90 days.
Depending on how much your system has changed, it would be unwise to restore
a restore point as recent as one day. Could you be confusing System Restore
with backing up?

Modem Ani

 

[Ken Blake]

In

Just a question in case it does happen. I have maybe 6-7 months
of
restore points currently and perfectly happy with all of them.

You're mistaken. Restore points can not go back further than 90
days. Where are you seeing these 6-7 months of Restore Points?

But something I've been reading here. If you get a virus there
seems
to be some sort of opinion to delete all previous restore
points if
the virus is found inside a protected restore point folder.

No, whether you have a virus or not, there's no option to
selectively delete Restore Points. You can delete them all or you
can delete them all but the last one. Those are your only
choices.

Wouldn't it make more sense that when you find a virus, if
there's
any doubt to whether it was cleaned or not, to restore the
system one
restore point prior to the virus ?

As I said, that's not a option. Also realize that a virus inside
a restore point is completely harmless. It can do no harm unless
you restore that Restore Point.

 

[Husky]

On Wed, 6 Apr 2005 10:52:28 -0700, "Ken Blake"

start/accessories/system tools/system restore
welcome to system restore, would you like to
create a restore point, restore to a previous date. etc..
Maybe it doesn't do that with XP home.

 

[Husky]

help : The actual number of saved restore points depends on how much activity there has been on your computer, the size of your hard disk
help : (or the partition that contains your Windows XP Professional folder), and how much disk space has been allocated on your computer to
help : store System Restore information. See To change System Restore settings.
help :

When it says one to three weeks of restore points, that might mean up to 90
restore points not 90 days.
Actually I don't even see how you get 90 out of three weeks. That's 21 at best.
then again it could also be based on drive space as I said earlier. I allowed
it to use as much space as it wanted.

If you aren't installing new software every single day, there's little need for
the OS to create a restore point. Thus the 6 months back on my restore points.

Now back to the subject. Is there any reason to dump all the restore points if
you get a virus inside one of the protected folders ?

And why does my virus program work and others don't ?

XP does not keep restore points older than 90 days (and for good reason.)

You'll have to take that up with M$. I have restore points all the way back to
6 November.

6 months back. Maybe it has more to do with available disc space, than dates.

 

[Husky]

As I said, that's not a option.

Of course it is. that's the reason it makes so many restore points. You can
pick any restore point listed, and restore the machine to that point. It can be
the 1st point ever made, or the one made last, or any one in between.

Also realize that a virus inside a restore point is completely harmless. It can do no harm unless
you restore that Restore Point.

I would guess if a virus program can find it inside a restore point, that the
program designed to use the virus can also find it to use it.

The opinion I've seen on this says dump all the restore points if you get a
virus in one of them. Makes no sense. If the scan shows a new virus and it's in
one of the restore point folders, restoring the system at that point, should
bring the virus out in the open where it can be deleted or cleaned. thus
retaining all previous restore points.

 

[Ken Blake]

In

Of course it is. that's the reason it makes so many restore
points.
You can pick any restore point listed, and restore the machine
to
that point.

Yes, you're right of course. Sorry, I somehow managed to misread
that as thinking you wanted to selectively *delete* a Restore
Point, not restore one.

It can be the 1st point ever made, or the one made last,
or any one in between.

No, it can only be one of the restore points that still exist. If
you've been using the system for a while, it's highly unlikely
that the first Restore Point ever made still exists. Restore
Points are kept subject to two limitations:

1. The amount of disk space allocated to them. When that space is
used, older Restore Points are deleted to make room for newer
ones.

2. By default, there's a maximum of 90 days for keeping any
Restore Point. That default can be changed by modifying the
registry entry RPLifeInterval

I would guess if a virus program can find it inside a restore
point,
that the program designed to use the virus can also find it to
use it.

The program designed to use the virus is the virus itself. If
it's inside a restore point it can't execute, and can't do any
harm unless, as I said, you restore that Resotore Point.

The opinion I've seen on this says dump all the restore points
if you
get a virus in one of them.

Not necessary, as I said, as long as you don't restore that
restore point.

Makes no sense. If the scan shows a new
virus and it's in one of the restore point folders, restoring
the
system at that point, should bring the virus out in the open
where it
can be deleted or cleaned. thus retaining all previous restore
points.

No, you're mistaken. There's no need to restore the Restore Point
containing the Virus. Even if you subsequently clean it, you
accomplish nothing by doing this. If you have a Restore Point
which includes a virus, you can at any time restore to an earlier
Restore Point that doesn't include it. The only difficulty is
knowing which Restore Points are infected and which are not.

 

[=?iso-8859-1?B?uyBtcnRlZSCr?=]

_________In response to________
|
| And why does my virus program work and others don't ?
|

How the 'ell is anyone supposed to answer that?

What virus program do (did) you write?

 

[Guest]

Just a question in case it does happen. I have maybe 6-7 months of restore
points currently and perfectly happy with all of them.

But something I've been reading here. If you get a virus there seems to be some
sort of opinion to delete all previous restore points if the virus is found
inside a protected restore point folder.

Wouldn't it make more sense that when you find a virus, if there's any doubt to
whether it was cleaned or not, to restore the system one restore point prior to
the virus ?

Ken Blake has answered your ? about restore points and viruses so I won't go
there,but here is my 2 cents on system restore.

There is no reason to have more than a few checkpoints saved, if you are
having problems you would restore to the closest point like maybe
yesterday,keeping 90 days worth is pointless and it wastes hard drive space.

Another thing to remember and I see it all of the time in this newsgroup is
that on
occasion the folder that keeps these checkpoints gets corrupted and none of
the restore points work,oh ya they are listed but a restore is a no go.
It is best when you are doing your regular system maintenance(and have no
problems) to shut off system restore and reboot then turn it back on and
create a new checkpoint ,this will delete all restore points as well as any
corruption.

 

[Bert Kinney]

Hi Husky,

By default System Restore stores 90 day worth of restore points.
Download the XPSystemRestoreLife.vbs script and run it. It will show
how many days it is set to (at the top of the dialog box) and allow it
to be changed.
System Restore Scripts
http://home.earthlink.net/~mvp_bert/html/body_srscripts.html

If in fact the virus is hiding in one of the restore point folders it
can be removed purging all the restore points. This can be done by
disabling SR or by running Disk Cleanup.
How to Disable and Enable System Restore
http://home.earthlink.net/~mvp_bert/html/disablesr.html

Restoring to a point prior to the virus probably will not work. All
restore points are linked together and rely on each other. When a
restore point is used all the restore points newer than it are
required to perform the restore. So a date prior to the virus would
have to use the restore point containing the virus to perform the
restore.. Two thing could happen, the virus would be reactivated, or
the restore point would fail do to corruption of the restore point by
the virus.

Hope this helps explain it.

 

[Ken Blake]

In

Ken Blake has answered your ? about restore points and viruses
so I
won't go there,but here is my 2 cents on system restore.

There is no reason to have more than a few checkpoints saved,
if you
are having problems you would restore to the closest point like
maybe
yesterday,keeping 90 days worth is pointless and it wastes hard
drive
space.

I completely agree. Limiting restore points to two weeks or so is
normally sufficient.

Another thing to remember and I see it all of the time in this
newsgroup is that on
occasion the folder that keeps these checkpoints gets corrupted
and
none of the restore points work,

Unfortunately this sometimes happens.

oh ya they are listed but a restore
is a no go.
It is best when you are doing your regular system
maintenance(and
have no problems) to shut off system restore and reboot then
turn it
back on and create a new checkpoint ,this will delete all
restore
points as well as any corruption.

But I wouldn't do this unless there's a problem. Corruption does
happen occasionally, but not often.

 

[Guest]

It is best when you are doing your regular system
maintenance(and
have no problems) to shut off system restore and reboot then
turn it
back on and create a new checkpoint ,this will delete all
restore
points as well as any corruption.

But I wouldn't do this unless there's a problem. Corruption does
happen occasionally, but not often.

But Ken,how do you know their is a problem unless you try to use SR and it
doesn't work,but then it is too late.

 

[Husky]

The program designed to use the virus is the virus itself. If
it's inside a restore point it can't execute, and can't do any
harm unless, as I said, you restore that Resotore Point.

I hate to tell you this, but virus are much more sophisticated than you want to
believe. ie: One I cleaned weeks ago was nothing more than a html link to a web
site. The payload was at the website.
The worst offenders now don't do any damage or even let you know they're there.
You're thinking kiddie scripts that screw with your OS and annoy at a minimum.

It hasn't happened to me yet, but it has to others. Virus, Trojans I'm not
going to debate the semantics. Are now opening up your drive space as download
space for pirate software, and spam relays to divert the trail from the one
using those virus/backdoors. And who knows what's in their bag of tricks now.

Being dial up has it's options. Not on long enough or with a fast enough
connection to make the backdoor worthwhile.

Not necessary, as I said, as long as you don't restore that
restore point.




No, you're mistaken. There's no need to restore the Restore Point
containing the Virus. Even if you subsequently clean it, you
accomplish nothing by doing this. If you have a Restore Point
which includes a virus, you can at any time restore to an earlier
Restore Point that doesn't include it. The only difficulty is
knowing which Restore Points are infected and which are not.

Again you miss my point. Restoring the point that includes in the virus would
only be done for the purpose of cleaning of the virus. If you restore to a
prior point, that'd be a different issue altogether. I'm just talking about
points inside restore points.
Maybe I'm different, I scan at a minimum weekly. If I were to find one and have
it reported as included in a hidden restore point, the next step to me would be
to restore that point, It couldn't be much older than a week. And it would seem
that it might have actually been created by the virus to hide itself.

Then with it accessible I'd run the scan again and delete it. Preserving any
previous restore points and making sure any future restore points are clean.
But as long as that virus lives inside a point, restoring to any point prior to
it, would release it, and compromise the machine.

I've restored all the way back to square one at one time. All points after it
disappeared when I did that. Telling me that the points only update changed
stuff.

 

[Husky]

Another thing to remember and I see it all of the time in this newsgroup is
that on
occasion the folder that keeps these checkpoints gets corrupted and none of
the restore points work,oh ya they are listed but a restore is a no go.
It is best when you are doing your regular system maintenance(and have no
problems) to shut off system restore and reboot then turn it back on and
create a new checkpoint ,this will delete all restore points as well as any
corruption.

That's worth keeping in mind, but so far whenever I've had to restore, I've had
no trouble. Maybe luck, or maybe just learned to avoid the majority of
troubles.

Like this restore stuff. Lots of what I've heard in this thread is worth
keeping.

 

[Husky]

But I wouldn't do this unless there's a problem. Corruption does
happen occasionally, but not often.

But Ken,how do you know their is a problem unless you try to use SR and it
doesn't work,but then it is too late.

If you have as many points [system managed] as I do, you can do like I did when
I 1st started with XP and keep restoring all the way back to the 1st one until
you hit one that isn't corrupted.
Course once you've gone all the way back to the last restore point accessible,
you could have saved time by just reinstalling the OS.

 

[Bert Kinney]

Unfortunately you don't know when the corruption occurs, unless or
course a virus scan shows an infection within the System Volume
Information folder. One could also suspect restore point corruption on
a system found to contain malware/spyware. To test system restore,
create a restore point and immediately restore to it.

 

[Husky]

Restoring to a point prior to the virus probably will not work. All
restore points are linked together and rely on each other. When a
restore point is used all the restore points newer than it are
required to perform the restore. So a date prior to the virus would
have to use the restore point containing the virus to perform the
restore.. Two thing could happen, the virus would be reactivated, or
the restore point would fail do to corruption of the restore point by
the virus.

See a prior reply about this.

 

[Guest]

Hi Husky,

By default System Restore stores 90 day worth of restore points.
Download the XPSystemRestoreLife.vbs script and run it. It will show
how many days it is set to (at the top of the dialog box) and allow it
to be changed.
System Restore Scripts
http://home.earthlink.net/~mvp_bert/html/body_srscripts.html

If in fact the virus is hiding in one of the restore point folders it
can be removed purging all the restore points. This can be done by
disabling SR or by running Disk Cleanup.
How to Disable and Enable System Restore
http://home.earthlink.net/~mvp_bert/html/disablesr.html

Restoring to a point prior to the virus probably will not work. All
restore points are linked together and rely on each other. When a
restore point is used all the restore points newer than it are
required to perform the restore. So a date prior to the virus would
have to use the restore point containing the virus to perform the
restore.. Two thing could happen, the virus would be reactivated, or
the restore point would fail do to corruption of the restore point by
the virus.

Hope this helps explain it.

Hi Bert, I learned something new today
I didn't know that the restore points were linked together with the newer
ones,
Thank's