How antivirus software and System Restore work together

This step-by-step article describes how System Restore in Microsoft Windows XP interacts with your virus scanning software. This article also describes how to remove infected files that you cannot clean from the System Restore data archive. As a result, you can continue to restore your computer to uncompromised restore points. This article also describes how you can revert to a previous infected restore point. This procedure is useful if you must restore an infected file.

How antivirus software and System Restore work together

With System Restore in Windows XP, you can restore your computer to a previous state, and you do not lose personal data files (such as Word documents, graphic files, and e-mail). System Restore actively monitors computer file changes and some program file changes to record or store earlier versions before the changes occurred. You do not have to take computer snapshots because System Restore automatically creates identifiable restore points that you can use to revert to a previous time. Restore points are created when significant computer events occur (such as the installation of a program or a driver) and periodically (each day).

To help protect critical computer and program files, System Restore monitors, records, and in some cases copies these files before they are modified. For example, when a procedure or a program (such as an upgrade, an inadvertent user change, a driver installation, or a virus) modifies a critical computer file or program file, System Restore records and saves a copy of the file before the change occurs. If a problem occurs, a restore operation can replace files with previously saved versions of those files. Antivirus programs use auto-detection or scanning mechanisms to monitor critical and personal files on the computer for signs of infection. The antivirus program then takes action to clean, remove, or quarantine (isolate) files that known viruses have infected. System Restore also tracks an antivirus program when it modifies (cleans), moves, or deletes a monitored, critical, computer or program file.

During a restoration, an active antivirus program scans for infected files. If the antivirus program detects any infected files, the antivirus program tries to modify, move, or delete the infected files. If the antivirus program successfully cleans the infected files, System Restore restores the cleaned files. However, if the antivirus software cannot clean a file, the antivirus software deletes or quarantines the file. As a result, the restoration does not work because these actions to the file cause an inconsistent restoration state. As a result, System Restore reverts to the state immediately before the restoration.

Signature files for antivirus programs are updated as viruses become known. As a result, a restoration that did not work several days ago might succeed after the antivirus program is updated. However, if you undo and retry a restoration to a point that succeeded before, the restoration may not work if a new signature or definition detects a virus that the antivirus program cannot clean on a backed-up file.

Remove infected files that you cannot clean in the System Restore data archive

If you suspect that previous restore points contain copies of infected monitored files that your antivirus program was not able to clean, you can remove these files and all the related restore points from the System Restore archive. To do so, turn off System Restore, and then turn it on again.

Notes

• When you turn off System Restore, you remove all the restore points. When you turn on System Restore again, new restore points are created as the schedule and events require.
• Verify that all the signature or the definition files are current. Make sure that your antivirus program is configured to exclude the System Volume Information (SVI) folder (a hidden computer folder that is located in the computer root, or %SYSTEMDRIVE%).

To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:

1. Click Start, and then click Control Panel.
2. Click Performance and Maintenance, and then double-click System.
3. Click the System Restore tab, and then click to select the Turn off System Restore for all drives check box.
4. Click OK, and then click Yes to initiate the restore point deletion.

To turn on System Restore again after the restore point deletion has completed, repeat these steps, but click to clear the Turn off System Restore for all drives check box.

Restore a computer to a previously infected restore point

To restore a computer to a previously infected restore point, disable the associated antivirus program, and after the restoration is complete, re-enable the antivirus program to detect and to take action on the restored state to remove any infected files.

Notes

• Microsoft does not recommend that you turn off antivirus protection under most conditions. Turn off antivirus protection only temporarily to restore a computer.
• Before you disable an antivirus program, disconnect the computer from any network to help prevent the infection of other computers.

To restore a computer to a previously infected restore point, follow these steps:

1. Disconnect the computer from any network to help prevent the infection of other computers.
2. Disable your antivirus program. Typically, to do this, right-click the antivirus icon in the Notification Area, and then click Exit or Disable. For more information about how to disable your antivirus program, see your product documentation.
3. Use System Restore to restore to the appropriate restore point.
4. After the restoration has completed and the Success screen appears, re-enable your antivirus program.
5. Make sure that the antivirus program scans all the files that System Restore modified. To do so, run a manual scan of all the drives that System Restore monitors.

For more information about how to create and name your own restore points, see the System Restore document on the following TechNet Web page: For additional information about how your antivirus software interacts with System Restore in Microsoft Windows Millennium Edition, click the following article number to view the article in the Microsoft Knowledge Base: