Solved: infected archived file item

pkramerf · ‎02-10-2012

It could be possible that files are archived while they are infected with a virus. Not very probable, but in case of a very agressive archive strategy and a bad AV policy, it could be possible.

After having updated my AV, archived items won't be scanned, while normally (more like hopefully) you AV honours the O attribute of the placeholder.

Now if I retreive this item, it wil be scanned and probably the viral code removed. So it will be another item I suppose, while it is changed. If I close the item, the orginal archived one (with virus) will still be there and not deleted. I will have two versions then. Is this correct? And what will be the best procedure in case of several archived files infected?

gtnx

paul

JesusWept3 · ‎02-11-2012

Pkramerf, I get what you're asking, so basically every time you recall that file the AV will have to try and repair it as the physical DVS files will contain the original item thus including the virus, to be honest there's not a tremendous amount you can do except set your AV policies to notify you then when it comes up you can delete the original via archive explorer or search.asp and thus no longer having the infected item Then you can either rearchive a non infected version or you can forget it existed So yes, recalling the item, may clean the recalled version via the AV but the source DVS will be unclean and when the recalled file is turned back to a shortcut and they recall the item again av will have to clean it

https://www.linkedin.com/in/alex-allen-turl-07370146

View solution in original post

RahulG · ‎02-10-2012

I guess you are taking about the antivirus scaning your placeholder. Placeholder is the shortcut to the archvied file . Incase if the place holder gets corrupt you can re-create the placeholder using FSAUtility.

If the file is corrupt the archiving task wold fail to archive the file.

following are the documents for your reference

http://www.symantec.com/business/support/index?page=content&id=TECH51039

http://www.symantec.com/business/support/index?page=content&id=TECH61296

pkramerf · ‎02-11-2012

No, I'm talking about that the file with virus inside is archived. Because at that moment the virus was not detected for whatever reason. But when you retreive the file afterwards, the av scanner (on access) will scan and maybe now (updates) it will detect the virus. But then??

RahulG · ‎02-11-2012

As I mentioned if the file is archiving task might fail to archvie the file which is infected with virus .If Ev archvies the infected file when you reterive it would not repair it though .It would just restore the file as it was before . Ev does not modify the file being a compliane software .

JesusWept3 · ‎02-11-2012

Pkramerf, I get what you're asking, so basically every time you recall that file the AV will have to try and repair it as the physical DVS files will contain the original item thus including the virus, to be honest there's not a tremendous amount you can do except set your AV policies to notify you then when it comes up you can delete the original via archive explorer or search.asp and thus no longer having the infected item Then you can either rearchive a non infected version or you can forget it existed So yes, recalling the item, may clean the recalled version via the AV but the source DVS will be unclean and when the recalled file is turned back to a shortcut and they recall the item again av will have to clean it

https://www.linkedin.com/in/alex-allen-turl-07370146

pkramerf · ‎02-11-2012

I was afraid of that already. While my av cleans the file, fingerprint wil be different, so EV will see it as a new version. Simular as if you retreive and edit a file. So I will have a clean and a infected version archived.

VOX

infected archived file item