Windows Defender Quarantined Raxco InstantRecovery

Discussion in 'backup, imaging & disk mgmt' started by Suphyce, Nov 26, 2017.

  1. Suphyce

    Suphyce Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    6
    Location:
    Canada
    I'm locked out of main boot/files & all boot options, stuck in guest image.

    I have Malwarebytes Premium & Kaspersky to protect against assaults on InstantRescue.
    I thought Malwarebytes & Kaspersky would protect IR file/process/regkey/services/bootexec.
    But Microsoft's WD did an end-run, quarantined all that & disabled IR.
    I thought Raxco's IR had some sort of self protection against disablement &/or image tampering.
    I thought WD was not supposed to operate/override when other AV was installed; perhaps it was run as once off manual scan.

    So now I have less than 30 days, to hopefully avert further disaster, before Raxco files are erased from Quarantine, I suppose.

    Microsoft WD wont allow to restore from Quarantine.
    WD says InstantRestore is Rayirege, "unwanted program displaying deceptive product messages, potentially unwanted program, recommended action remove this software immediately."
    Sounds like WD is describing itself.

    What do I do? This is an inconceivable circumstance.
     
  2. Suphyce

    Suphyce Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    6
    Location:
    Canada
    System restore failed to stick, claiming "probable antivirus" interference. I disabled Kaspersky, but not Malwarebytes. I retried system restore to point prior to WD false positive quarantine. Still restore would not stick. Not sure... Even if I got system restore to succeed, would it affect "windows defender quarantined" items??
     
  3. Suphyce

    Suphyce Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    6
    Location:
    Canada
    Would it be a good idea to try reinstalling Raxco InstantRecovery?
     
  4. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    525
    Location:
    Canada
    Strange. WD should not be running if you have Kaspersky running. Have you tried turning WD off? I would go to WD and turn off every setting you can find. Maybe try to re-install Kasperky in the hope that if shuts off WD. What would happen if you tried to re-install Raxco, would you loose everything? Something is not right, one of these programs is screwing up, a re-install may solve it, other than that could you make an exclusion in WD for Raxio?
     
  5. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    9,305
    Location:
    England
  6. Suphyce

    Suphyce Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    6
    Location:
    Canada
    I think it was a WD manual scan, but still Microsoft should not irrevocably quarantine a PUP, particularly without user final vote.
    If Major AV are compatible with Raxco & Imaging Software, MS should make an effort too. This FP its ridiculous.

    I'm gonna try next : http://www.raxco.com/home/faqs
    "After installing a major Windows update, customers will need to enable the InstantRescue pre-boot again."
     
  7. Suphyce

    Suphyce Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    6
    Location:
    Canada
    Success!! Well it worked.
    Raxco is more brilliant than I suspected. I feel for software companies' patching, being bullied by ignorant steam rolling monopoly.

    I found some links for reg hacks to prevent WD auto quarantine.

    I should get Macrum Reflect or some other imaging solution, to save IR images to external drive. Nothing like a good scare to get a normie to do the "right precautionary thing".

    I'm surprised at how easy it was to disable IR. If my image was gone/corrupted I would be soul crushed.
    Anything I should do further, layer wise, to harden against encrypting ransomware & such?

    Thanks all for the concern & help & ideas. Bless this forum. I'm an occasional lurker for eons.
     
  8. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,699
    What version of instant recovery do you have? Personal or business?
    Business offers "Enhanced snapshot protection" but I do not know what raxco means with that.
    You do not use archives? (IR archives = file based images of IR snapshots)

    Panagiotis
     
  9. Suphyce

    Suphyce Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    6
    Location:
    Canada
    I have IR Home. I've made "snapshots", but not yet made any "archived snapshots".
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,520
    Location:
    Slovenia
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,295
    In testing and talking to Raxco, if you have Home, Ransomware can gain access to your data in the secondary snapshot, where as the ehanced protection prevents that. I think Raxco made a huge mistake in not providing that protection with home. For me use of Macrium Reflect paid version has negated the value of Instant Recovery. What it takes significant time to accomplish I can do in minutes.
     
  12. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    934
    Location:
    UK
    Can you share a link to the website with the registry hacks to disable WD quarantine please?
     
  13. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,536
    According to my experience, a PUP/PUA is not "irrevocably" quarantined. The operation can be reversed from the WD configuration screen. It has happened several times to me.
     
    Last edited: Nov 26, 2017
  14. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,699
    Is this the same protection that was introduced with FD-ISR (that prevented access in the other other snapshots folders)? Or did they enhance it more?
    I actually have both Raxco-IR and macrium lisences stored away. Nowadays, I test software in virtual machines or sandboxie and I rarely perform backup/restores... and when I do, I use IFL or BootIt BM.

    Panagiotis
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,295
    From talking with Bob Nolan Raxco CEO, I believe it is enhanced. But I haven't had a chance to play with it. I just know Raxco Home doesn't protect you. Also even if you have the protection if you use the data sharing feature you would be toast.
     
  16. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,699
    Thanks Pete.

    I do not understand why they removed all these features from the personal version. (no freeze option, 5 instead of 10 snapshots, no protection of the snapshots, no password lock).
    When I bought it they offered only the business version (for home they offered only instantrescue) and if I remember correctly the price was the same as it is the personal version now.

    @Suphyce If I were you, I would contact Raxco and request to change the personal version with the business one.

    Panagiotis
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,295
    The Business version is significantly more expensive. I no longer think it worth the money. Can do more with Macrium Reflect
     
  18. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,699
    Did not know that... In that case I agree Macrium is a better choice.
     
Loading...