Tagging GoBack files as trojans

FYI, just did a scan today and ESS tagged my GoBack restore points as trojans.

 

M o r e - d e t a i l s - please . . .

 

During and in depth scan it tagged about 6 GoBack files as below...

In fact I was only given a choice of removing or ignoring the files - not quarantining them. I had ESS remove them, and after that there were no back-up points remaining in GoBack. Not a huge deal for me, as I rarely use it. I guess I should have told it to ignore the files.

Also, the scan was running while I was out and when I came back the "warning" window was showing. I had to manually tell it what to do with each file. It appears the scan was suspended until I input "delete the file". After the 6 "warning" messages and me telling it to remove the suspicious files the scan continued.

When I first installed ESS it found 3 malware items and I had to tell it to manually delete those as well. I find this behavior a bit odd. My past experience with various AV solutions is that it quarantines an item, then lists it after the scan is complete allowing you to permanently delete or restore, etc. ESS seems to suspend the scan until you input a solution. Plus, you are only offered a choice of deleting or ignoring a file. Am I missing something here?

 

Hello,

Are the files of a resonable size to transmit via email? If so, please send them in password-protected .ZIP or .RAR file (using "infected" as the password) to samples@eset.sk with a link to this message thread.

Regards,

Aryeh Goretsky

 

Well, they're they're gone unfortunately. Again, I've written another post (see https://www.wilderssecurity.com/showthread.php?t=176578) regarding my issues with only being able to "delete" or "ignore" a suspect file in the warning dialogs I've seen. I've never seen any "quarantine" option.... The only thing residing in my quarantine file is 2 Thunderbird profiles....that's another story.

But as an update to this post, I ran another full scan last Thursday and the scan said that nothing was found. However, all my GoBack restore points were missing from prior to the scan. And at the time of the scan I see this in the GoBack app:

I saw this after the fist scan too, which prompted this post. In that first scan I thought ESS removed the Norton GoBack restore points, but after this week and some additional research I think what happened was it removed some XP System Restore points in the original scan.

I find that odd since I can't find the path to the area where the files were removed. Again, after some digging online this is a protected area of the file system and I'm surprised ESS was able to delete anything there.

So, I'd be happy to help here, but I think GoBack is just resetting itself from all the file activity from ESS. Still, no other AV I've ever used has done this, so it's an issue. I also repeat my concern that ESS isn't showing me an option to quarantine or repair suspect files - only delete or ignore. That's on my other thread, which hasn't seen much in the way of replies, so maybe others haven't had this issue. But it would have been nice if these files were in quarantine as noted from the log file above - but they aren't. They were deleted.

 

This as a further update regarding GoBack and ESS:

I'll be looking at options to remedy this. HOWEVER - this has not been an issue with any other AV - SO - I think this is a bug with ESS and needs addressed.

 

Just upgraded to 1b and this behavior continues - that is, every scan deletes all GoBack safe points. I did notice today that this actually is taking place toward the end of the scan. The scan took about 2.5 hours - began at 1025hrs ended at 1259hrs. GoBack had this message:

The suspension of logging deletes all previous safe points.

 

Did you enabled the Advanced mode and had a look into Tools>Quarantine to see if the deleted files are there?

 

I, and many others also, agree that suspending a scan to await user input is a horrible way to do things.

We can only hope this is because it's still in Beta and will NOT be the way that the RC's or Final behaves. Any word on this Aryeh or Mayth?

 

I agree to that, but only with OnDemand scanning. In my opinion there should be a (optional) way to popup a warning/question window with OnAccess scanning.

 

Hi Alf

Why is that? I don't understand why you would only want it that way for an On Demand scan there bud, is there something I'm missing here?
The way I do my full system scans, over 800G's of drive space and well over 500,000 files, is overnight of course as it takes far too long otherwise. To get up and find a half completed scan would really be annoying, so I would think for AutoCleaning it would be the way to do things also.

What are your thoughts on why you would want it only for On Demand?

Thx Alf
Dave

 

Maybe I wasn't very clear. This is what I want ESS to do:
OnDemand Scanning: Make a complete scan of all the selected drives without asking the user for actions. All found malware should be put in quarantine automatically. After the scan is done, a list should be presented with the quarantined files.
OnAccess Scanning: After detecting malware, a popup should appear with the possibility to choose to Clean, Delete of Quarantine the file(s).

 

Hello,

you can still perform on-demand scan without cleaning, ie. when running overnight. You check the threats detected in the morning and then act accordingly.