Removing Viruses with System Restore

PatrickDickey
Categories : Smb security ,Computing
Tags : Computing smb security topics antivirus

Page content

Removing Viruses with System Restore?

This topic comes up once in a while. Especially since a lot of the computer manufacturers will try it as part of their tech support for *any* problems that you may contact them with. And in most cases, System Restore is one of–if not the best– option to use. However, in the case of virus removal, System Restore is a false hope.

The Myth

The myth is that System Restore is “a rolling safety net is always kept under the user, enabling the user to recover from recent undesirable changes.” (Microsoft, 2001). This was the basis that Microsoft and other companies used when the feature was first introduced. One change listed is the infection of the system by viruses or other malware.

The Reality

In reality, System Restore can create copies of the infected files. And some viruses may be capable of infecting the restore volume as well as the actual system files. When a person cleans their computer using an anti-virus, then uses System Restore, they may inadvertently re-infect the computer. Or if they use System Restore as a means of removal, either the restore will fail (if the anti-virus cleans the virus out during the restore process) or the restore will replace the file with an infected version.

What to Do

Most sites that deal with virus or malware removal will tell you that the first step is to shut down System Restore completely. This deletes all restore points that have been saved up to this point. Then, they have you go through the removal process for the specific virus/malware that you’re infected with. This could include running a scanner, a cleaning tool, or manually removing the virus. Finally, they will have you re-enable System Restore.

Final Thoughts

System Restore is a good safety net, and Microsoft was smart in implementing this feature. However for virus removal, there are much better options to use. And because of the nature of System Restore, it is not an effective option for virus removal. It’s nature is to copy files without making sure they are clean, and not allowing anti-virus programs to clean them inside of the restore volume. You’re much better off with having an effective anti-virus solution installed, and disabling System Restore during the virus removal process.

References

https://msdn.microsoft.com/en-us/library/ms997627.aspx Quote about System Restore

https://antivirus.about.com/od/windowsbasics/a/systemrestore.htm Recommendation for disabling System Restore during virus removal.