How do you delete something from "the shadow"?

Hi All,

Well now, ESE does something that Kaspersky does not. ESET check "the
shadow":
8/13/2020 21:15:04 PM - Module Real-time file system
protection - Threat Alert triggered on computer
OPERATIONS: \Device\HarddiskVolumeShadowCopy4\Program
Files\OpenVPN\config\how_to_back_files.html contains
Win32/Filecoder.FV trojan.

And the source
C:\Program Files\OpenVPN\config\how_to_back_files.html

is clean.

Using Disk Cleanup, More tab, System Restore and Shadow
Copies area does not wack it.

Now I know how to recover something "from" the shadow.
How do I "delete" something from the shadow?

Many thanks,
-T

On 2020-08-13 23:19, T wrote:
Hi All,

Well now, ESE does something that Kaspersky does not.Â* ESET check "the
shadow":
Â*Â*Â*Â*Â* 8/13/2020 21:15:04 PM - Module Real-time file system
Â*Â*Â*Â*Â* protection - Threat Alert triggered on computer
Â*Â*Â*Â*Â* OPERATIONS:Â* \Device\HarddiskVolumeShadowCopy4\Program
Â*Â*Â*Â*Â* Files\OpenVPN\config\how_to_back_files.html contains
Â*Â*Â*Â*Â* Win32/Filecoder.FV trojan.

And the source
Â*Â*Â* C:\Program Files\OpenVPN\config\how_to_back_files.html

is clean.

Using Disk Cleanup, More tab, System Restore and Shadow
Copies area does not wack it.

Now I know how to recover something "from" the shadow.
How do I "delete" something from the shadow?

Many thanks,
-T


I figured out how to delete the all. But still
do not know how to wack just one.


How to delete fiels from the "shadow", such as infected files:

References:

http://backupchain.com/i/how-to-dele...phaned-shadows

Delete on Windows PCs and Servers
The magic command is (does not need to be admin)
vssadmin delete shadows /all

To delete the really nasty ones, there's a trick:
vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=300MB

For each drive you've got, run the above command with the minimum
MaxSize permitted. Windows will then voluntarily dump all shadows
due to lack of space. This technique was named "pull the carpet" by
our tech support.

Then, set MaxSize to UNBOUNDED or a very high number (for example,
100GB) for best performance. This is just an upper limit, not
an actual permanent storage allocation.

To see how successful you we
vssadmin list shadows

T wrote:
On 2020-08-13 23:19, T wrote:
Hi All,

Well now, ESE does something that Kaspersky does not. ESET check "the
shadow":
8/13/2020 21:15:04 PM - Module Real-time file system
protection - Threat Alert triggered on computer
OPERATIONS: \Device\HarddiskVolumeShadowCopy4\Program
Files\OpenVPN\config\how_to_back_files.html contains
Win32/Filecoder.FV trojan.

And the source
C:\Program Files\OpenVPN\config\how_to_back_files.html

is clean.

Using Disk Cleanup, More tab, System Restore and Shadow
Copies area does not wack it.

Now I know how to recover something "from" the shadow.
How do I "delete" something from the shadow?

Many thanks,
-T


I figured out how to delete the all. But still
do not know how to wack just one.


How to delete fiels from the "shadow", such as infected files:

References:

http://backupchain.com/i/how-to-dele...phaned-shadows

Delete on Windows PCs and Servers
The magic command is (does not need to be admin)
vssadmin delete shadows /all

To delete the really nasty ones, there's a trick:
vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=300MB

For each drive you've got, run the above command with the minimum
MaxSize permitted. Windows will then voluntarily dump all shadows
due to lack of space. This technique was named "pull the carpet" by
our tech support.

Then, set MaxSize to UNBOUNDED or a very high number (for example,
100GB) for best performance. This is just an upper limit, not
an actual permanent storage allocation.

To see how successful you we
vssadmin list shadows

The removal tool for the ransomware, should have deleted
all the shadows to begin with. This is why System Restore won't
work, when an AV detects trouble, as it's already erased all
the infected Restore Points. Any good malware infects all the
Restore Points, so that the malware can come back when a
Restore is attempted.

Not all the shadows are for System Protection, and the
shadows that a backup tool might use, might also contain
a copy. I don't know the details, but Shadows (snapshot of
file-system-in-time) can be used by backup software for
figuring out what to do for Incrementals, Differentials,
or Incremental-Forever. The shadows might be related to that.
Shadows might also be used for File History (the implementation
differs across different Windows versions).

I expect as a developer, if the persistent shadows you defined
go missing, you simply inform the user of the side effects,
and move on. If a backup tool needed that stuff, perhaps
it would cancel or delete the last "backup set", whatever
that is.

According to the great oracle, Filecoder.fv is ransomware
that leaves file extensions of .encencenc on files that
have been processed. And a user is likely to notice, as
a user directory is a place with a high priority for
the software to attack. As files in the user directory
have value to the user, while converting shell32.dll
into shell32.dll.encencenc, hardly anyone cares :-)

If your backup images have "mount" capability, you could
scan those too. Good ransomware lays in wait and does not
attack immediately. Thus, copies of the malware could be
sitting in a backup image, waiting for some individual
to do a restore later. The shadow tells you *something*
made a shadow, and if the content of the shadow were
actively used, the output of the program or tool could
similarly be compromised.

Of course, it could also be a false positive. But we're
talking ransomware here and not Ask Toolbar. How
you process this problem, is important.

Paul

T wrote:

Well now, ESE does something that Kaspersky does not. ESET check "the
shadow":
8/13/2020 21:15:04 PM - Module Real-time file system
protection - Threat Alert triggered on computer
OPERATIONS: \Device\HarddiskVolumeShadowCopy4\Program
Files\OpenVPN\config\how_to_back_files.html contains
Win32/Filecoder.FV trojan.

And the source
C:\Program Files\OpenVPN\config\how_to_back_files.html

is clean.

Using Disk Cleanup, More tab, System Restore and Shadow
Copies area does not wack it.

Now I know how to recover something "from" the shadow.
How do I "delete" something from the shadow?

How do you know ESET isn't issuing a false positive? I've not ever used
an AV that didn't eventually have a false positive. I used to get those
with Avast on some .vhd files not because they were infected but because
a signature in Avast's database happened to match on a string in the
encoded VHD file. I would submit the .vhd file to Avast's to report the
false positive.

https://www.av-comparatives.org/test...st-march-2020/
None have zero false positives, plus even if they did that doesn't
preclude a different set of files using a newer or later version of the
AV from generating false positives.

I used to use Avast Free. Too much adware, plus they got caught spying
on user data. Went to Defender for awhile. Now on Kaspersky Security
Cloud Free. I don't use ESET because it has no freeware version (and an
online scan using their web page doesn't count, especially since it is
an on-demand scan instead of an on-access/realtime scanner), and
trialware is not freeware.

Have you submitted the how_to_back_files.html to Virus Total? I can't
see how a text file (all HTML is text) could be infected (unless an NTFS
alternate data stream was involved that contained other type of content,
like an ADS handing an executable onto a text file). Does ESET have a
URL checker to see if a document has hyperlinks to known bad sources?

On 2020-08-14 09:09, VanguardLH wrote:
T wrote:

Well now, ESE does something that Kaspersky does not. ESET check "the
shadow":
8/13/2020 21:15:04 PM - Module Real-time file system
protection - Threat Alert triggered on computer
OPERATIONS: \Device\HarddiskVolumeShadowCopy4\Program
Files\OpenVPN\config\how_to_back_files.html contains
Win32/Filecoder.FV trojan.

And the source
C:\Program Files\OpenVPN\config\how_to_back_files.html

is clean.

Using Disk Cleanup, More tab, System Restore and Shadow
Copies area does not wack it.

Now I know how to recover something "from" the shadow.
How do I "delete" something from the shadow?

How do you know ESET isn't issuing a false positive? I've not ever used
an AV that didn't eventually have a false positive. I used to get those
with Avast on some .vhd files not because they were infected but because
a signature in Avast's database happened to match on a string in the
encoded VHD file. I would submit the .vhd file to Avast's to report the
false positive.

https://www.av-comparatives.org/test...st-march-2020/
None have zero false positives, plus even if they did that doesn't
preclude a different set of files using a newer or later version of the
AV from generating false positives.

I used to use Avast Free. Too much adware, plus they got caught spying
on user data. Went to Defender for awhile. Now on Kaspersky Security
Cloud Free. I don't use ESET because it has no freeware version (and an
online scan using their web page doesn't count, especially since it is
an on-demand scan instead of an on-access/realtime scanner), and
trialware is not freeware.

Have you submitted the how_to_back_files.html to Virus Total? I can't
see how a text file (all HTML is text) could be infected (unless an NTFS
alternate data stream was involved that contained other type of content,
like an ADS handing an executable onto a text file). Does ESET have a
URL checker to see if a document has hyperlinks to known bad sources?


Thank you!

See my response to Paul

On 2020-08-14 03:38, Paul wrote:
T wrote:
On 2020-08-13 23:19, T wrote:
Hi All,

Well now, ESE does something that Kaspersky does not.Â* ESET check
"the shadow":
Â*Â*Â*Â*Â*Â* 8/13/2020 21:15:04 PM - Module Real-time file system
Â*Â*Â*Â*Â*Â* protection - Threat Alert triggered on computer
Â*Â*Â*Â*Â*Â* OPERATIONS:Â* \Device\HarddiskVolumeShadowCopy4\Program
Â*Â*Â*Â*Â*Â* Files\OpenVPN\config\how_to_back_files.html contains
Â*Â*Â*Â*Â*Â* Win32/Filecoder.FV trojan.

And the source
Â*Â*Â*Â* C:\Program Files\OpenVPN\config\how_to_back_files.html

is clean.

Using Disk Cleanup, More tab, System Restore and Shadow
Copies area does not wack it.

Now I know how to recover something "from" the shadow.
How do I "delete" something from the shadow?

Many thanks,
-T


I figured out how to delete the all.Â* But still
do not know how to wack just one.


How to delete fiels from the "shadow", such as infected files:

References:

http://backupchain.com/i/how-to-dele...phaned-shadows


Delete on Windows PCs and Servers
Â*Â* The magic command is (does not need to be admin)
Â*Â*Â* vssadmin delete shadows /all

Â*Â* To delete the really nasty ones, there's a trick:
Â*Â*Â* vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=300MB

Â*Â* For each drive you've got, run the above command with the minimum
Â*Â* MaxSize permitted. Windows will then voluntarily dump all shadows
Â*Â* due to lack of space. This technique was named "pull the carpet" by
Â*Â* our tech support.

Â*Â* Then, set MaxSize to UNBOUNDED or a very high number (for example,
Â*Â* 100GB) for best performance. This is just an upper limit, not
Â*Â* an actual permanent storage allocation.

Â*Â* To see how successful you we
Â*Â*Â*Â*Â*Â*Â* vssadmin list shadows

The removal tool for the ransomware, should have deleted
all the shadows to begin with. This is why System Restore won't
work, when an AV detects trouble, as it's already erased all
the infected Restore Points. Any good malware infects all the
Restore Points, so that the malware can come back when a
Restore is attempted.

Not all the shadows are for System Protection, and the
shadows that a backup tool might use, might also contain
a copy. I don't know the details, but Shadows (snapshot of
file-system-in-time) can be used by backup software for
figuring out what to do for Incrementals, Differentials,
or Incremental-Forever. The shadows might be related to that.
Shadows might also be used for File History (the implementation
differs across different Windows versions).

I expect as a developer, if the persistent shadows you defined
go missing, you simply inform the user of the side effects,
and move on. If a backup tool needed that stuff, perhaps
it would cancel or delete the last "backup set", whatever
that is.

According to the great oracle, Filecoder.fv is ransomware
that leaves file extensions of .encencenc on files that
have been processed. And a user is likely to notice, as
a user directory is a place with a high priority for
the software to attack. As files in the user directory
have value to the user, while converting shell32.dll
into shell32.dll.encencenc, hardly anyone cares :-)

If your backup images have "mount" capability, you could
scan those too. Good ransomware lays in wait and does not
attack immediately. Thus, copies of the malware could be
sitting in a backup image, waiting for some individual
to do a restore later. The shadow tells you *something*
made a shadow, and if the content of the shadow were
actively used, the output of the program or tool could
similarly be compromised.

Of course, it could also be a false positive. But we're
talking ransomware here and not Ask Toolbar. How
you process this problem, is important.

Â*Â* Paul


Hi Paul and Vanguard,

Okay, as it transpires, there is a bug in ESET End
Point Security.

ESET got back to me. It is not possible to scan
the shadow directly. It gets scanned during
a backup that uses the shadow, Cobian Backup in this
instance. As such it is not capable of neutralizing
the file in the shadow. But it does remove it
on the way to the backup program.

Now scanning the file directly (not the shadow) shows
no infection. But Virus Total certainly does. And
get this, it shows with ESET NOD32. Here in lies
the bug ESET has to fix. I sent ESET back all
the references, screen shots, and the infected file
as a zip with a password.

So basically, if ESET find something infected in the
shadow during a shadow enabled backup but not
the original file, until ESET fixes the bug, go
to the original file with Windows Explorer, whack
it with
shiftdel (permanent delete)

then whack the shadow with
vssadmin delete shadows /all

and see how successful you were with
vssadmin list shadows

To answer Vanguard's question. ESET did whack the
infected file from being backed up to the backup
target. The infected file is no where to be found
on the backup drive.

This is a wonderful feature in ESET that I have not seen
in any other Anti Virus.

And there is not way to pick out a particular file
from the shadow and whack it that I could find. There
is to read it, but not to whack it. You have to whack
the entire shadow. But remember if you do not whack
the original, the shadow will get repopulated with it
the next backup.

And I do not recommend free Anti Viruses. They stink.
ESET, Kaspersky, Bit Defender are all good. I prefer
ESET at the moment. But as my wife says when I brag
over the phone when I scam a free cup of tea from
her "that could change in an instant buster!"

And if viruses are ruining your life, consider Fedora
(Linux) or weird old Mac (weird for the sake of
weirdness).

I am enjoying ESET End Point's eMail notification
function. I get eMail of all "critical" events.

Thank you all for the help and tips
-T

"Whack" a highly advanced technical term.

:-)

T wrote:

On 2020-08-14 03:38, Paul wrote:
T wrote:
On 2020-08-13 23:19, T wrote:
Hi All,

Well now, ESE does something that Kaspersky does not.* ESET check
"the shadow":
****** 8/13/2020 21:15:04 PM - Module Real-time file system
****** protection - Threat Alert triggered on computer
****** OPERATIONS:* \Device\HarddiskVolumeShadowCopy4\Program
****** Files\OpenVPN\config\how_to_back_files.html contains
****** Win32/Filecoder.FV trojan.

And the source
**** C:\Program Files\OpenVPN\config\how_to_back_files.html

is clean.

Using Disk Cleanup, More tab, System Restore and Shadow
Copies area does not wack it.

Now I know how to recover something "from" the shadow.
How do I "delete" something from the shadow?

Many thanks,
-T


I figured out how to delete the all.* But still
do not know how to wack just one.


How to delete fiels from the "shadow", such as infected files:

References:

http://backupchain.com/i/how-to-dele...phaned-shadows


Delete on Windows PCs and Servers
** The magic command is (does not need to be admin)
*** vssadmin delete shadows /all

** To delete the really nasty ones, there's a trick:
*** vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=300MB

** For each drive you've got, run the above command with the minimum
** MaxSize permitted. Windows will then voluntarily dump all shadows
** due to lack of space. This technique was named "pull the carpet" by
** our tech support.

** Then, set MaxSize to UNBOUNDED or a very high number (for example,
** 100GB) for best performance. This is just an upper limit, not
** an actual permanent storage allocation.

** To see how successful you we
******* vssadmin list shadows

The removal tool for the ransomware, should have deleted
all the shadows to begin with. This is why System Restore won't
work, when an AV detects trouble, as it's already erased all
the infected Restore Points. Any good malware infects all the
Restore Points, so that the malware can come back when a
Restore is attempted.

Not all the shadows are for System Protection, and the
shadows that a backup tool might use, might also contain
a copy. I don't know the details, but Shadows (snapshot of
file-system-in-time) can be used by backup software for
figuring out what to do for Incrementals, Differentials,
or Incremental-Forever. The shadows might be related to that.
Shadows might also be used for File History (the implementation
differs across different Windows versions).

I expect as a developer, if the persistent shadows you defined
go missing, you simply inform the user of the side effects,
and move on. If a backup tool needed that stuff, perhaps
it would cancel or delete the last "backup set", whatever
that is.

According to the great oracle, Filecoder.fv is ransomware
that leaves file extensions of .encencenc on files that
have been processed. And a user is likely to notice, as
a user directory is a place with a high priority for
the software to attack. As files in the user directory
have value to the user, while converting shell32.dll
into shell32.dll.encencenc, hardly anyone cares :-)

If your backup images have "mount" capability, you could
scan those too. Good ransomware lays in wait and does not
attack immediately. Thus, copies of the malware could be
sitting in a backup image, waiting for some individual
to do a restore later. The shadow tells you *something*
made a shadow, and if the content of the shadow were
actively used, the output of the program or tool could
similarly be compromised.

Of course, it could also be a false positive. But we're
talking ransomware here and not Ask Toolbar. How
you process this problem, is important.

** Paul


Hi Paul and Vanguard,

Okay, as it transpires, there is a bug in ESET End
Point Security.

ESET got back to me. It is not possible to scan
the shadow directly. It gets scanned during
a backup that uses the shadow, Cobian Backup in this
instance. As such it is not capable of neutralizing
the file in the shadow. But it does remove it
on the way to the backup program.

Now scanning the file directly (not the shadow) shows
no infection. But Virus Total certainly does. And
get this, it shows with ESET NOD32. Here in lies
the bug ESET has to fix. I sent ESET back all
the references, screen shots, and the infected file
as a zip with a password.

So basically, if ESET find something infected in the
shadow during a shadow enabled backup but not
the original file, until ESET fixes the bug, go
to the original file with Windows Explorer, whack
it with
shiftdel (permanent delete)

then whack the shadow with
vssadmin delete shadows /all

and see how successful you were with
vssadmin list shadows

To answer Vanguard's question. ESET did whack the
infected file from being backed up to the backup
target. The infected file is no where to be found
on the backup drive.

This is a wonderful feature in ESET that I have not seen
in any other Anti Virus.

And there is not way to pick out a particular file
from the shadow and whack it that I could find. There
is to read it, but not to whack it. You have to whack
the entire shadow. But remember if you do not whack
the original, the shadow will get repopulated with it
the next backup.

And I do not recommend free Anti Viruses. They stink.
ESET, Kaspersky, Bit Defender are all good. I prefer
ESET at the moment. But as my wife says when I brag
over the phone when I scam a free cup of tea from
her "that could change in an instant buster!"

And if viruses are ruining your life, consider Fedora
(Linux) or weird old Mac (weird for the sake of
weirdness).

I am enjoying ESET End Point's eMail notification
function. I get eMail of all "critical" events.

Thank you all for the help and tips
-T

"Whack" a highly advanced technical term.

:-)

Yet how is a text file considered "infectable"? HTML is text. Seems
the false positive was based on a signature rather than heuristics.

On 2020-08-14 21:18, VanguardLH wrote:
Yet how is a text file considered "infectable"? HTML is text. Seems
the false positive was based on a signature rather than heuristics.

It is what the user does with the text file. This is
ESET Tech Support's explanation:

It's ESET's real time scanner that detected the ransom note,
how_to_back_files.html.

On 2020-08-14 21:18, VanguardLH wrote:
a text file considered "infectable"? HTML is text. Seems
the false positive was based on a signature rather than heuristics.


It is what the user does with the text file. This is
ESET Tech Support's explanation:

The file 'how_to_back_files.html' is an ransom note
from a very old ransomware virus. ESET detects the
virus as Filecoder.FV and the detection was added
back in 01/12/2017.
https://www.virusradar.com/en/Win32_Filecoder/detail.
Ransom notes were left behind in the form of .txt
or .html files and they only contained payment
instructions such as the ransom amount and the
bitcoin address.

T wrote:
On 2020-08-14 21:18, VanguardLH wrote:
a text file considered "infectable"? HTML is text. Seems
the false positive was based on a signature rather than heuristics.


It is what the user does with the text file. This is
ESET Tech Support's explanation:

The file 'how_to_back_files.html' is an ransom note
from a very old ransomware virus. ESET detects the
virus as Filecoder.FV and the detection was added
back in 01/12/2017.
https://www.virusradar.com/en/Win32_Filecoder/detail.
Ransom notes were left behind in the form of .txt
or .html files and they only contained payment
instructions such as the ransom amount and the
bitcoin address.

OK, so the usual scenario. Some tool that cleans up
crap, leaves behind "non-virulent materials" to be
tripped over by future scanners. I was having to
help someone zap a few registry entries for the same
reason, pest removed, but its registry entries were
not removed. And that leaves a "smell" which future
scanning tools trip over, and that gets the user
"all bent out of shape" when the alert appears
on the screen.

Paul

On 2020-08-15 02:45, Paul wrote:
T wrote:
On 2020-08-14 21:18, VanguardLH wrote:
a text file considered "infectable"?Â* HTML is text.Â* Seems
the false positive was based on a signature rather than heuristics.


It is what the user does with the text file.Â* This is
ESET Tech Support's explanation:

Â*Â*Â*Â* The file 'how_to_back_files.html' is an ransom note
Â*Â*Â*Â* from a very old ransomware virus.Â* ESET detects the
Â*Â*Â*Â* virus as Filecoder.FV and the detection was added
Â*Â*Â*Â* back in 01/12/2017.
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* https://www.virusradar.com/en/Win32_Filecoder/detail.
Â*Â*Â*Â* Ransom notes were left behind in the form of .txt
Â*Â*Â*Â* or .html files and they only contained payment
Â*Â*Â*Â* instructions such as the ransom amount and the
Â*Â*Â*Â* bitcoin address.

OK, so the usual scenario. Some tool that cleans up
crap, leaves behind "non-virulent materials" to be
tripped over by future scanners. I was having to
help someone zap a few registry entries for the same
reason, pest removed, but its registry entries were
not removed. And that leaves a "smell" which future
scanning tools trip over, and that gets the user
"all bent out of shape" when the alert appears
on the screen.

Â*Â* Paul

Very true.

And if that is not bad enough, anything they don't
understand IS A VIRUS! ("Go change your mouse
batteries.")