System Volume Information scanning

Norton, from what I remember, had always excluded scanning the \Systerm_Volume_Information\ directory for some reason. Norton '07 does the same as well. In the past using other AV's some would find some nasties in the \SVI folder, usually files like A#####.exe.

In your opinion, is scanning of the \SVI directory necessary?

 

Most virusses i found with several av's such as avira and dr web were located in system volume information restore.

 

i aint sure about 2007, but when i had my norton 2005 licence, these could easily be added or removed in the excludes in the settings.

you can scan system volume restores with norton midway.

 

I just removed \S_V_I from the exclusions list. I guess I was just wondering why Norton doesn't see it as a necessity to be scanned. I have not seen this in other AV's.

Thanks for the input

 

are you sure it wasnt excluded in the 'real-time' settings only?

i dont usually exclude anything on any AV's, but still nice to have that feature.

 

There are two options:

1. Which disk, folders, or files to exclude from risk scanning

2. Which disk, folders, or files to exclude from Auto-Protect scanning

By default \S_V_I was included in both.

 

i personally would keep it excluded in the auto protect midway.

 

I do exclude my backup drive (it is mainly for what used to be called My Documents in XP, now it is called [User] ) plus some of my gaming directories like Activision and Id Software.

 

I can see why because this may slow the computer down come to think of it. I will try it a while like it is and see if any adverse effects are noticed.

 

It should always be excluded from both real time and on demand scans. The reason being that if your AV finds an infected file in System Restore and attempts to clean it and cannot and deletes instead that action instantly renders all restore points before and including that one null and void.

It is more prudent to simply disable and then re-enable System Restore if you suspect viruses are in there. This action will wipe all restore points off your computer and you will start fresh.

Another important reason for excluding System Restore from AV routine scanning is that it is possible to restore a infected restore point if you have a desperate situation and you think your restore points may be infected but you really need to use one. You can turn off your AV temporarily and then do the restore point and immediately after restore is successful you can run your AV and let it take care of the virus.

I will never let my AV scan System Restore. I used to allow it and one day I had a terrible problem and desperately needed System Restore. I found all the restore points that could have helped me were ruined (almost 3 months of points and I tried every one of them) because I had let my AV scan System Restore. It had found eicar.zip (which I had not deleted from my downloaded programs folder) and deleted it or quarantined it and that simple action ruined that restore point and all preceding it. It could have been another file that the AV thought was a virus but wasn't and it deleted it or quarantined it from System Restore.

Avira which I use now is one of the worst for finding viruses (extended threats category) that are FP's and Avira won't fix many of them because whether they are "threats" or not is up to the individual. So, I have to exclude them and then if the new definitions one day find a program I have that is NOT excluded and the new definitions say it is a virus then if Avira is set to scan System Restore it will try to clean that "virus" and fail and delete it or quarantine it and that will render that restore point and all before it null and void. So, I can't afford to let my AV scan System Restore.

 

That makes sense as well. Maybe this is why Norton has it set like that. Thanks for the input

 

Today Avira's updates resulted in it almost immediately finding a new "virus" on my computer. It told me that System Information Works by Gabriel Topala is a trojan. I'm sure that is a FP as it wasn't detecting that until right after the updates today. Plus, I submitted the file to Jotti and no scanner found anything including Avira (I assume Jotti's Avira doesn't yet have the new definitions). What if Avira had updated during the night (that how I had it set until recently) and I didn't have System restore excluded? The realtime scanner might have accessed System restore and found that, deleted or quarantined it and messed up the restore points.

 

Avira doesn't delete/quarantine stuff from system volume restore since those files are protected by the OS.