Antivirus Tools Cannot Clean Infected Files in the _Restore Folder

When you run an antivirus program, you may receive a report that indicates that one or more files in the _Restore\Temp or the _Restore\Archive folders contain a virus or are infected with a virus. Also, your antivirus program may indicate an inability to remove the virus from the file or files.

This behavior occurs because the System Restore feature in Windows Millennium Edition (Me) protects all folders and files in the _Restore folder on the Windows Me system partition. This folder and all of its subfolders are the data store that the System Restore feature uses to restore your computer's operating system to a previous state from a previous point in time.

Although some antivirus programs may have the ability to work with files that have been compressed or stored in .zip or .cab file format, the System Restore feature does not permit these utilities to manipulate these files within the data store. The data store is protected for data integrity purposes, and the System Restore feature is the only method you can use to obtain access to the data store. Because of this, the antivirus program is unable to remove the virus from the file or files in the data store. The files in the data store are inactive and can be used only by the System Restore feature.

To work around this behavior, use the appropriate method.

Use the First In First Out (FIFO) Feature

The FIFO routine purges the oldest restore points so that newer, more current restore points can be added to the data store. FIFO starts automatically when the files in the data store reach 90 percent of the maximum size of the data store. System Restore purges the oldest files first until the files in the data store occupy no more than 50 percent of the maximum size of the data store.

For example, if the maximum size of the data store is 400 megabytes (MB), 90 percent of this is 360 MB and 50 percent is 200 MB. If the data store is 200 MB when you view the properties of the _Restore folder, it is 50 percent of the maximum size. If you adjust the size of the data store to the minimum size of 200 MB, FIFO occurs when you click Apply.

NOTE: If the data store is less than 90 percent (180 MB) of the minimum (200 MB) value, adjusting the size does not have any effect in purging restore points. In this scenario, you must carefully consider the use of the methods that are described in this article.

Over a period of time, the data store purges restore points on a FIFO basis as the maximum size of the data store is reached. There are a few scenarios in which FIFO can be used to purge older restore points to retain more recent restore points on the computer.

FIFO Method 1

No action is required if the system has been cleaned and only the data store is reported by the antivirus tool to have suspicious files. Until all infected files are processed out on a FIFO basis, the antivirus tool may still report that there are infected files that it cannot obtain access to within the data store.

FIFO Method 2

You can trigger the FIFO feature to remove older restore points from the data store by resizing the data store. To use the System Restore feature to adjust the size of the data store:

1. View the properties of the _Restore folder to determine how much data is actually in the data store. You do this to determine if this step will have any effect on the data store. If the data store uses less than 90 percent (less than 180 MB) of the minimum value (200 MB), this method may have no effect on purging the restore points. If less than 90 percent of the data store is used, even at the minimum settings you should consider using FIFO method 1 or using the "Manually Purge the Data Store" method that is listed later in this article.
2. Click Start, point to Settings, and then click Control Panel.
3. Double-click System, and then click the Performance tab.
4. Click File System.
5. Adjust the System Restore disk space use slider to the approximate lower amount, and then click Apply.
   
   Note that you can use the System Restore disk space use slider to select the minimum amount of space to allocate for the data store, the maximum amount, or a size in between. Adjusting the slider to a lower value changes the the values that trigger FIFO. You may need to restart your computer for any changes to take effect.
6. Click OK, and then click OK to close System properties.
7. Use the antivirus tool to scan the computer to verify that the virus-infected files have been purged from the data store. If there are still infected files in the data store, repeat the previous steps and lower the data store size until the data store is clear of infected files.
   
   Note that you can also use the calendar page in the System Restore tool to view how far back the restore points were purged.
8. After the infected files have been cleared from the data store by using this method, return the slider to the original or appropriate size, click OK to close any open windows, and then restart your computer.

If there still is an infected file in the data store after you resize the data store to the minimum size, you can either wait for it to be processed out on a FIFO basis (FIFO method 1), or you may want to consider using the "Manually Purge the Data Store" method that is described later in this article to remove all restore points on your computer.

Manually Purge the Data Store

To completely and immediately remove the infected file or files in the data store, disable and re-enable the System Restore feature.

WARNING: Using the following steps will completely remove all restore points from the data store. Do not use this method if this will cause problems. When you enable the System Restore feature again, the System Restore feature will create a new restore point and then resume monitoring your computer.

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click System, and then click the Performance tab.
3. Click File System, and then click the Troubleshooting tab.
4. Click to select the Disable System Restore check box, click Apply, click to clear the Disable System Restore check box, click Apply, and then click OK.
5. Restart the computer when you are prompted to do so. When the computer restarts, the data store is purged and the System Restore feature begins monitoring the system again.

This behavior is by design.

The _Restore folder is protected by default and prevents programs from using or manipulating the files that are within this folder. These files are inactive while in the data store and are not used by any utility other than System Restore.

The System Restore feature is not designed to detect or scan for virus infections or virus activity. Most computer virus infections seek or attack files with extensions such as .exe or .com. These are file types that the System Restore feature is designed to monitor.

NOTE: If you restore your computer to a previous state when you did not have an installed antivirus tool, you must install an antivirus tool and clean any files that were restored and are infected.