Author Topic: Why is Win32 Sirefef-AAP (Rtk) back in chest after restoring it?  (Read 4228 times)

0 Members and 1 Guest are viewing this topic.

puter illit

  • Guest
Hi I am puzzed after a day of trying to restore this false Positive file and finally accomplishing it I just noticed that the restored file is back in the chest as:

ADD33635.sys  C: System Volume information_restore(

The date is 6/29 same as the date of occurance not the restore but the time is 7 min earlier than occurance not sure if that is because after spending a day trying to restore I realized my clock was not in sink with my time zone and reset the clock on 6/30.  What do I do with it now? restore? leave it? This file is an original install and and cridical component and if I leave it it might corrupt the file.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Why is Win32 Sirefef-AAP (Rtk) back in chest after restoring it?
« Reply #1 on: July 04, 2012, 05:10:48 PM »
As was said in your other topic, avast can't restore to the C: System Volume information folder as it is part of the system restore function.

That said the Restore function doesn't remove the copy from the chest. Take the example here you try to restore a file from the chest, but for some reason it fails, if the copy in the chest was removed during this process you would have no backup copy.

So this is a safety measure for want of a better description, until you confirm (a physical check of the folder) that the file has been Restored to its original location, a copy remains in the chest until you manually delete it from the chest.

As I have mentioned on other occasions - Infected Restore Points:
There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

So manually delete it from the chest.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

puter illit

  • Guest
Re: Why is Win32 Sirefef-AAP (Rtk) back in chest after restoring it?
« Reply #2 on: July 04, 2012, 05:46:36 PM »
As was said in your other topic, avast can't restore to the C: System Volume information folder as it is part of the system restore function.

That said the Restore function doesn't remove the copy from the chest. Take the example here you try to restore a file from the chest, but for some reason it fails, if the copy in the chest was removed during this process you would have no backup copy.

So this is a safety measure for want of a better description, until you confirm (a physical check of the folder) that the file has been Restored to its original location, a copy remains in the chest until you manually delete it from the chest.

As I have mentioned on other occasions - Infected Restore Points:
There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

So manually delete it from the chest.

Yah, but I didn't do a SR after Avast found the FP file and I restored it manually????? This appears to be a seperate file that either I didn't notice on the day of the incedent or was added after I right clicked on the original file to restore and or manually restored it. .

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Why is Win32 Sirefef-AAP (Rtk) back in chest after restoring it?
« Reply #3 on: July 04, 2012, 06:01:09 PM »
You don't have to have done a SR (and as mentioned that can't happen) the file was most likely in the chest already and when you check the properties it will show the original location and more crucially the date it was sent (time of transfer) to the chest, see image click to expand.

Had avast found it during a scan avast would have alerted and we know that can't happen after the detection signature was fixed; so it must have been present in the chest.

As I keep banging on you can't restore to the System Volume information folder, manually or otherwise.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

puter illit

  • Guest
Re: Why is Win32 Sirefef-AAP (Rtk) back in chest after restoring it?
« Reply #4 on: July 04, 2012, 06:39:29 PM »
You don't have to have done a SR (and as mentioned that can't happen) the file was most likely in the chest already and when you check the properties it will show the original location and more crucially the date it was sent (time of transfer) to the chest, see image click to expand.

Had avast found it during a scan avast would have alerted and we know that can't happen after the detection signature was fixed; so it must have been present in the chest.

As I keep banging on you can't restore to the System Volume information folder, manually or otherwise.

I had already done that before posting! As I said I reset the clock hours after I clicked to restore it manually so I don't know if the time is acutal or adjusted. It shows it 7 min prior to avast indicating & moving the 1st 2 files to the chest. And yes I'm sorry if you have to keep BANGING it to me I am not as puter literate as others and do not fully undstand how to locate and or correct errors that should have never happened in the first place. As another that just occured with sandbox moving aother internal program to the sandbox that showed as clean but now I can't find it to restore it back to were it belongs. It would appear Avast is no longer user friendly & simple to use without creating additional problems and only usable by sophiscated computer users or mess up your OP with FP. Sorry I'm taking up so much of your time.