If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
How do you delete something from "the shadow"?
Hi All,
Well now, ESE does something that Kaspersky does not. ESET check "the shadow": 8/13/2020 21:15:04 PM - Module Real-time file system protection - Threat Alert triggered on computer OPERATIONS: \Device\HarddiskVolumeShadowCopy4\Program Files\OpenVPN\config\how_to_back_files.html contains Win32/Filecoder.FV trojan. And the source C:\Program Files\OpenVPN\config\how_to_back_files.html is clean. Using Disk Cleanup, More tab, System Restore and Shadow Copies area does not wack it. Now I know how to recover something "from" the shadow. How do I "delete" something from the shadow? Many thanks, -T |
Ads |
#2
|
|||
|
|||
How do you delete something from "the shadow"?
On 2020-08-13 23:19, T wrote:
Hi All, Well now, ESE does something that Kaspersky does not.Â* ESET check "the shadow": Â*Â*Â*Â*Â* 8/13/2020 21:15:04 PM - Module Real-time file system Â*Â*Â*Â*Â* protection - Threat Alert triggered on computer Â*Â*Â*Â*Â* OPERATIONS:Â* \Device\HarddiskVolumeShadowCopy4\Program Â*Â*Â*Â*Â* Files\OpenVPN\config\how_to_back_files.html contains Â*Â*Â*Â*Â* Win32/Filecoder.FV trojan. And the source Â*Â*Â* C:\Program Files\OpenVPN\config\how_to_back_files.html is clean. Using Disk Cleanup, More tab, System Restore and Shadow Copies area does not wack it. Now I know how to recover something "from" the shadow. How do I "delete" something from the shadow? Many thanks, -T I figured out how to delete the all. But still do not know how to wack just one. How to delete fiels from the "shadow", such as infected files: References: http://backupchain.com/i/how-to-dele...phaned-shadows Delete on Windows PCs and Servers The magic command is (does not need to be admin) vssadmin delete shadows /all To delete the really nasty ones, there's a trick: vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=300MB For each drive you've got, run the above command with the minimum MaxSize permitted. Windows will then voluntarily dump all shadows due to lack of space. This technique was named "pull the carpet" by our tech support. Then, set MaxSize to UNBOUNDED or a very high number (for example, 100GB) for best performance. This is just an upper limit, not an actual permanent storage allocation. To see how successful you we vssadmin list shadows |
#3
|
|||
|
|||
How do you delete something from "the shadow"?
T wrote:
On 2020-08-13 23:19, T wrote: Hi All, Well now, ESE does something that Kaspersky does not. ESET check "the shadow": 8/13/2020 21:15:04 PM - Module Real-time file system protection - Threat Alert triggered on computer OPERATIONS: \Device\HarddiskVolumeShadowCopy4\Program Files\OpenVPN\config\how_to_back_files.html contains Win32/Filecoder.FV trojan. And the source C:\Program Files\OpenVPN\config\how_to_back_files.html is clean. Using Disk Cleanup, More tab, System Restore and Shadow Copies area does not wack it. Now I know how to recover something "from" the shadow. How do I "delete" something from the shadow? Many thanks, -T I figured out how to delete the all. But still do not know how to wack just one. How to delete fiels from the "shadow", such as infected files: References: http://backupchain.com/i/how-to-dele...phaned-shadows Delete on Windows PCs and Servers The magic command is (does not need to be admin) vssadmin delete shadows /all To delete the really nasty ones, there's a trick: vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=300MB For each drive you've got, run the above command with the minimum MaxSize permitted. Windows will then voluntarily dump all shadows due to lack of space. This technique was named "pull the carpet" by our tech support. Then, set MaxSize to UNBOUNDED or a very high number (for example, 100GB) for best performance. This is just an upper limit, not an actual permanent storage allocation. To see how successful you we vssadmin list shadows The removal tool for the ransomware, should have deleted all the shadows to begin with. This is why System Restore won't work, when an AV detects trouble, as it's already erased all the infected Restore Points. Any good malware infects all the Restore Points, so that the malware can come back when a Restore is attempted. Not all the shadows are for System Protection, and the shadows that a backup tool might use, might also contain a copy. I don't know the details, but Shadows (snapshot of file-system-in-time) can be used by backup software for figuring out what to do for Incrementals, Differentials, or Incremental-Forever. The shadows might be related to that. Shadows might also be used for File History (the implementation differs across different Windows versions). I expect as a developer, if the persistent shadows you defined go missing, you simply inform the user of the side effects, and move on. If a backup tool needed that stuff, perhaps it would cancel or delete the last "backup set", whatever that is. According to the great oracle, Filecoder.fv is ransomware that leaves file extensions of .encencenc on files that have been processed. And a user is likely to notice, as a user directory is a place with a high priority for the software to attack. As files in the user directory have value to the user, while converting shell32.dll into shell32.dll.encencenc, hardly anyone cares :-) If your backup images have "mount" capability, you could scan those too. Good ransomware lays in wait and does not attack immediately. Thus, copies of the malware could be sitting in a backup image, waiting for some individual to do a restore later. The shadow tells you *something* made a shadow, and if the content of the shadow were actively used, the output of the program or tool could similarly be compromised. Of course, it could also be a false positive. But we're talking ransomware here and not Ask Toolbar. How you process this problem, is important. Paul |
#4
|
|||
|
|||
How do you delete something from "the shadow"?
T wrote:
Well now, ESE does something that Kaspersky does not. ESET check "the shadow": 8/13/2020 21:15:04 PM - Module Real-time file system protection - Threat Alert triggered on computer OPERATIONS: \Device\HarddiskVolumeShadowCopy4\Program Files\OpenVPN\config\how_to_back_files.html contains Win32/Filecoder.FV trojan. And the source C:\Program Files\OpenVPN\config\how_to_back_files.html is clean. Using Disk Cleanup, More tab, System Restore and Shadow Copies area does not wack it. Now I know how to recover something "from" the shadow. How do I "delete" something from the shadow? How do you know ESET isn't issuing a false positive? I've not ever used an AV that didn't eventually have a false positive. I used to get those with Avast on some .vhd files not because they were infected but because a signature in Avast's database happened to match on a string in the encoded VHD file. I would submit the .vhd file to Avast's to report the false positive. https://www.av-comparatives.org/test...st-march-2020/ None have zero false positives, plus even if they did that doesn't preclude a different set of files using a newer or later version of the AV from generating false positives. I used to use Avast Free. Too much adware, plus they got caught spying on user data. Went to Defender for awhile. Now on Kaspersky Security Cloud Free. I don't use ESET because it has no freeware version (and an online scan using their web page doesn't count, especially since it is an on-demand scan instead of an on-access/realtime scanner), and trialware is not freeware. Have you submitted the how_to_back_files.html to Virus Total? I can't see how a text file (all HTML is text) could be infected (unless an NTFS alternate data stream was involved that contained other type of content, like an ADS handing an executable onto a text file). Does ESET have a URL checker to see if a document has hyperlinks to known bad sources? |
#5
|
|||
|
|||
How do you delete something from "the shadow"?
On 2020-08-14 09:09, VanguardLH wrote:
T wrote: Well now, ESE does something that Kaspersky does not. ESET check "the shadow": 8/13/2020 21:15:04 PM - Module Real-time file system protection - Threat Alert triggered on computer OPERATIONS: \Device\HarddiskVolumeShadowCopy4\Program Files\OpenVPN\config\how_to_back_files.html contains Win32/Filecoder.FV trojan. And the source C:\Program Files\OpenVPN\config\how_to_back_files.html is clean. Using Disk Cleanup, More tab, System Restore and Shadow Copies area does not wack it. Now I know how to recover something "from" the shadow. How do I "delete" something from the shadow? How do you know ESET isn't issuing a false positive? I've not ever used an AV that didn't eventually have a false positive. I used to get those with Avast on some .vhd files not because they were infected but because a signature in Avast's database happened to match on a string in the encoded VHD file. I would submit the .vhd file to Avast's to report the false positive. https://www.av-comparatives.org/test...st-march-2020/ None have zero false positives, plus even if they did that doesn't preclude a different set of files using a newer or later version of the AV from generating false positives. I used to use Avast Free. Too much adware, plus they got caught spying on user data. Went to Defender for awhile. Now on Kaspersky Security Cloud Free. I don't use ESET because it has no freeware version (and an online scan using their web page doesn't count, especially since it is an on-demand scan instead of an on-access/realtime scanner), and trialware is not freeware. Have you submitted the how_to_back_files.html to Virus Total? I can't see how a text file (all HTML is text) could be infected (unless an NTFS alternate data stream was involved that contained other type of content, like an ADS handing an executable onto a text file). Does ESET have a URL checker to see if a document has hyperlinks to known bad sources? Thank you! See my response to Paul |
#6
|
|||
|
|||
How do you delete something from "the shadow"?
On 2020-08-14 03:38, Paul wrote:
T wrote: On 2020-08-13 23:19, T wrote: Hi All, Well now, ESE does something that Kaspersky does not.Â* ESET check "the shadow": Â*Â*Â*Â*Â*Â* 8/13/2020 21:15:04 PM - Module Real-time file system Â*Â*Â*Â*Â*Â* protection - Threat Alert triggered on computer Â*Â*Â*Â*Â*Â* OPERATIONS:Â* \Device\HarddiskVolumeShadowCopy4\Program Â*Â*Â*Â*Â*Â* Files\OpenVPN\config\how_to_back_files.html contains Â*Â*Â*Â*Â*Â* Win32/Filecoder.FV trojan. And the source Â*Â*Â*Â* C:\Program Files\OpenVPN\config\how_to_back_files.html is clean. Using Disk Cleanup, More tab, System Restore and Shadow Copies area does not wack it. Now I know how to recover something "from" the shadow. How do I "delete" something from the shadow? Many thanks, -T I figured out how to delete the all.Â* But still do not know how to wack just one. How to delete fiels from the "shadow", such as infected files: References: http://backupchain.com/i/how-to-dele...phaned-shadows Delete on Windows PCs and Servers Â*Â* The magic command is (does not need to be admin) Â*Â*Â* vssadmin delete shadows /all Â*Â* To delete the really nasty ones, there's a trick: Â*Â*Â* vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=300MB Â*Â* For each drive you've got, run the above command with the minimum Â*Â* MaxSize permitted. Windows will then voluntarily dump all shadows Â*Â* due to lack of space. This technique was named "pull the carpet" by Â*Â* our tech support. Â*Â* Then, set MaxSize to UNBOUNDED or a very high number (for example, Â*Â* 100GB) for best performance. This is just an upper limit, not Â*Â* an actual permanent storage allocation. Â*Â* To see how successful you we Â*Â*Â*Â*Â*Â*Â* vssadmin list shadows The removal tool for the ransomware, should have deleted all the shadows to begin with. This is why System Restore won't work, when an AV detects trouble, as it's already erased all the infected Restore Points. Any good malware infects all the Restore Points, so that the malware can come back when a Restore is attempted. Not all the shadows are for System Protection, and the shadows that a backup tool might use, might also contain a copy. I don't know the details, but Shadows (snapshot of file-system-in-time) can be used by backup software for figuring out what to do for Incrementals, Differentials, or Incremental-Forever. The shadows might be related to that. Shadows might also be used for File History (the implementation differs across different Windows versions). I expect as a developer, if the persistent shadows you defined go missing, you simply inform the user of the side effects, and move on. If a backup tool needed that stuff, perhaps it would cancel or delete the last "backup set", whatever that is. According to the great oracle, Filecoder.fv is ransomware that leaves file extensions of .encencenc on files that have been processed. And a user is likely to notice, as a user directory is a place with a high priority for the software to attack. As files in the user directory have value to the user, while converting shell32.dll into shell32.dll.encencenc, hardly anyone cares :-) If your backup images have "mount" capability, you could scan those too. Good ransomware lays in wait and does not attack immediately. Thus, copies of the malware could be sitting in a backup image, waiting for some individual to do a restore later. The shadow tells you *something* made a shadow, and if the content of the shadow were actively used, the output of the program or tool could similarly be compromised. Of course, it could also be a false positive. But we're talking ransomware here and not Ask Toolbar. How you process this problem, is important. Â*Â* Paul Hi Paul and Vanguard, Okay, as it transpires, there is a bug in ESET End Point Security. ESET got back to me. It is not possible to scan the shadow directly. It gets scanned during a backup that uses the shadow, Cobian Backup in this instance. As such it is not capable of neutralizing the file in the shadow. But it does remove it on the way to the backup program. Now scanning the file directly (not the shadow) shows no infection. But Virus Total certainly does. And get this, it shows with ESET NOD32. Here in lies the bug ESET has to fix. I sent ESET back all the references, screen shots, and the infected file as a zip with a password. So basically, if ESET find something infected in the shadow during a shadow enabled backup but not the original file, until ESET fixes the bug, go to the original file with Windows Explorer, whack it with shiftdel (permanent delete) then whack the shadow with vssadmin delete shadows /all and see how successful you were with vssadmin list shadows To answer Vanguard's question. ESET did whack the infected file from being backed up to the backup target. The infected file is no where to be found on the backup drive. This is a wonderful feature in ESET that I have not seen in any other Anti Virus. And there is not way to pick out a particular file from the shadow and whack it that I could find. There is to read it, but not to whack it. You have to whack the entire shadow. But remember if you do not whack the original, the shadow will get repopulated with it the next backup. And I do not recommend free Anti Viruses. They stink. ESET, Kaspersky, Bit Defender are all good. I prefer ESET at the moment. But as my wife says when I brag over the phone when I scam a free cup of tea from her "that could change in an instant buster!" And if viruses are ruining your life, consider Fedora (Linux) or weird old Mac (weird for the sake of weirdness). I am enjoying ESET End Point's eMail notification function. I get eMail of all "critical" events. Thank you all for the help and tips -T "Whack" a highly advanced technical term. :-) |
#7
|
|||
|
|||
How do you delete something from "the shadow"?
T wrote:
On 2020-08-14 03:38, Paul wrote: T wrote: On 2020-08-13 23:19, T wrote: Hi All, Well now, ESE does something that Kaspersky does not.* ESET check "the shadow": ****** 8/13/2020 21:15:04 PM - Module Real-time file system ****** protection - Threat Alert triggered on computer ****** OPERATIONS:* \Device\HarddiskVolumeShadowCopy4\Program ****** Files\OpenVPN\config\how_to_back_files.html contains ****** Win32/Filecoder.FV trojan. And the source **** C:\Program Files\OpenVPN\config\how_to_back_files.html is clean. Using Disk Cleanup, More tab, System Restore and Shadow Copies area does not wack it. Now I know how to recover something "from" the shadow. How do I "delete" something from the shadow? Many thanks, -T I figured out how to delete the all.* But still do not know how to wack just one. How to delete fiels from the "shadow", such as infected files: References: http://backupchain.com/i/how-to-dele...phaned-shadows Delete on Windows PCs and Servers ** The magic command is (does not need to be admin) *** vssadmin delete shadows /all ** To delete the really nasty ones, there's a trick: *** vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=300MB ** For each drive you've got, run the above command with the minimum ** MaxSize permitted. Windows will then voluntarily dump all shadows ** due to lack of space. This technique was named "pull the carpet" by ** our tech support. ** Then, set MaxSize to UNBOUNDED or a very high number (for example, ** 100GB) for best performance. This is just an upper limit, not ** an actual permanent storage allocation. ** To see how successful you we ******* vssadmin list shadows The removal tool for the ransomware, should have deleted all the shadows to begin with. This is why System Restore won't work, when an AV detects trouble, as it's already erased all the infected Restore Points. Any good malware infects all the Restore Points, so that the malware can come back when a Restore is attempted. Not all the shadows are for System Protection, and the shadows that a backup tool might use, might also contain a copy. I don't know the details, but Shadows (snapshot of file-system-in-time) can be used by backup software for figuring out what to do for Incrementals, Differentials, or Incremental-Forever. The shadows might be related to that. Shadows might also be used for File History (the implementation differs across different Windows versions). I expect as a developer, if the persistent shadows you defined go missing, you simply inform the user of the side effects, and move on. If a backup tool needed that stuff, perhaps it would cancel or delete the last "backup set", whatever that is. According to the great oracle, Filecoder.fv is ransomware that leaves file extensions of .encencenc on files that have been processed. And a user is likely to notice, as a user directory is a place with a high priority for the software to attack. As files in the user directory have value to the user, while converting shell32.dll into shell32.dll.encencenc, hardly anyone cares :-) If your backup images have "mount" capability, you could scan those too. Good ransomware lays in wait and does not attack immediately. Thus, copies of the malware could be sitting in a backup image, waiting for some individual to do a restore later. The shadow tells you *something* made a shadow, and if the content of the shadow were actively used, the output of the program or tool could similarly be compromised. Of course, it could also be a false positive. But we're talking ransomware here and not Ask Toolbar. How you process this problem, is important. ** Paul Hi Paul and Vanguard, Okay, as it transpires, there is a bug in ESET End Point Security. ESET got back to me. It is not possible to scan the shadow directly. It gets scanned during a backup that uses the shadow, Cobian Backup in this instance. As such it is not capable of neutralizing the file in the shadow. But it does remove it on the way to the backup program. Now scanning the file directly (not the shadow) shows no infection. But Virus Total certainly does. And get this, it shows with ESET NOD32. Here in lies the bug ESET has to fix. I sent ESET back all the references, screen shots, and the infected file as a zip with a password. So basically, if ESET find something infected in the shadow during a shadow enabled backup but not the original file, until ESET fixes the bug, go to the original file with Windows Explorer, whack it with shiftdel (permanent delete) then whack the shadow with vssadmin delete shadows /all and see how successful you were with vssadmin list shadows To answer Vanguard's question. ESET did whack the infected file from being backed up to the backup target. The infected file is no where to be found on the backup drive. This is a wonderful feature in ESET that I have not seen in any other Anti Virus. And there is not way to pick out a particular file from the shadow and whack it that I could find. There is to read it, but not to whack it. You have to whack the entire shadow. But remember if you do not whack the original, the shadow will get repopulated with it the next backup. And I do not recommend free Anti Viruses. They stink. ESET, Kaspersky, Bit Defender are all good. I prefer ESET at the moment. But as my wife says when I brag over the phone when I scam a free cup of tea from her "that could change in an instant buster!" And if viruses are ruining your life, consider Fedora (Linux) or weird old Mac (weird for the sake of weirdness). I am enjoying ESET End Point's eMail notification function. I get eMail of all "critical" events. Thank you all for the help and tips -T "Whack" a highly advanced technical term. :-) Yet how is a text file considered "infectable"? HTML is text. Seems the false positive was based on a signature rather than heuristics. |
#8
|
|||
|
|||
How do you delete something from "the shadow"?
On 2020-08-14 21:18, VanguardLH wrote:
Yet how is a text file considered "infectable"? HTML is text. Seems the false positive was based on a signature rather than heuristics. It is what the user does with the text file. This is ESET Tech Support's explanation: It's ESET's real time scanner that detected the ransom note, how_to_back_files.html. |
#9
|
|||
|
|||
How do you delete something from "the shadow"?
On 2020-08-14 21:18, VanguardLH wrote:
a text file considered "infectable"? HTML is text. Seems the false positive was based on a signature rather than heuristics. It is what the user does with the text file. This is ESET Tech Support's explanation: The file 'how_to_back_files.html' is an ransom note from a very old ransomware virus. ESET detects the virus as Filecoder.FV and the detection was added back in 01/12/2017. https://www.virusradar.com/en/Win32_Filecoder/detail. Ransom notes were left behind in the form of .txt or .html files and they only contained payment instructions such as the ransom amount and the bitcoin address. |
#10
|
|||
|
|||
How do you delete something from "the shadow"?
T wrote:
On 2020-08-14 21:18, VanguardLH wrote: a text file considered "infectable"? HTML is text. Seems the false positive was based on a signature rather than heuristics. It is what the user does with the text file. This is ESET Tech Support's explanation: The file 'how_to_back_files.html' is an ransom note from a very old ransomware virus. ESET detects the virus as Filecoder.FV and the detection was added back in 01/12/2017. https://www.virusradar.com/en/Win32_Filecoder/detail. Ransom notes were left behind in the form of .txt or .html files and they only contained payment instructions such as the ransom amount and the bitcoin address. OK, so the usual scenario. Some tool that cleans up crap, leaves behind "non-virulent materials" to be tripped over by future scanners. I was having to help someone zap a few registry entries for the same reason, pest removed, but its registry entries were not removed. And that leaves a "smell" which future scanning tools trip over, and that gets the user "all bent out of shape" when the alert appears on the screen. Paul |
#11
|
|||
|
|||
How do you delete something from "the shadow"?
On 2020-08-15 02:45, Paul wrote:
T wrote: On 2020-08-14 21:18, VanguardLH wrote: a text file considered "infectable"?Â* HTML is text.Â* Seems the false positive was based on a signature rather than heuristics. It is what the user does with the text file.Â* This is ESET Tech Support's explanation: Â*Â*Â*Â* The file 'how_to_back_files.html' is an ransom note Â*Â*Â*Â* from a very old ransomware virus.Â* ESET detects the Â*Â*Â*Â* virus as Filecoder.FV and the detection was added Â*Â*Â*Â* back in 01/12/2017. Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* https://www.virusradar.com/en/Win32_Filecoder/detail. Â*Â*Â*Â* Ransom notes were left behind in the form of .txt Â*Â*Â*Â* or .html files and they only contained payment Â*Â*Â*Â* instructions such as the ransom amount and the Â*Â*Â*Â* bitcoin address. OK, so the usual scenario. Some tool that cleans up crap, leaves behind "non-virulent materials" to be tripped over by future scanners. I was having to help someone zap a few registry entries for the same reason, pest removed, but its registry entries were not removed. And that leaves a "smell" which future scanning tools trip over, and that gets the user "all bent out of shape" when the alert appears on the screen. Â*Â* Paul Very true. And if that is not bad enough, anything they don't understand IS A VIRUS! ("Go change your mouse batteries.") |
Thread Tools | |
Display Modes | Rate This Thread |
|
|