infected archived file item
Updated: 11 Feb 2012 | 5 comments
This issue has been solved. See solution.
It could be possible that files are archived while they are infected with a virus. Not very probable, but in case of a very agressive archive strategy and a bad AV policy, it could be possible.
After having updated my AV, archived items won't be scanned, while normally (more like hopefully) you AV honours the O attribute of the placeholder.
Now if I retreive this item, it wil be scanned and probably the viral code removed. So it will be another item I suppose, while it is changed. If I close the item, the orginal archived one (with virus) will still be there and not deleted. I will have two versions then. Is this correct? And what will be the best procedure in case of several archived files infected?
gtnx
paul
Discussion Filed Under:
Comments
I guess you are taking about
I guess you are taking about the antivirus scaning your placeholder. Placeholder is the shortcut to the archvied file . Incase if the place holder gets corrupt you can re-create the placeholder using FSAUtility.
If the file is corrupt the archiving task wold fail to archive the file.
following are the documents for your reference
http://www.symantec.com/business/support/index?page=content&id=TECH51039
http://www.symantec.com/business/support/index?page=content&id=TECH61296
If this response answers your concern, please mark it as a "solution"
No, I'm talking about that
No, I'm talking about that the file with virus inside is archived. Because at that moment the virus was not detected for whatever reason. But when you retreive the file afterwards, the av scanner (on access) will scan and maybe now (updates) it will detect the virus. But then??
As I mentioned if the file is
As I mentioned if the file is archiving task might fail to archvie the file which is infected with virus .If Ev archvies the infected file when you reterive it would not repair it though .It would just restore the file as it was before . Ev does not modify the file being a compliane software .
If this response answers your concern, please mark it as a "solution"
Pkramerf, I get what you're
Pkramerf,
I get what you're asking, so basically every time you recall that file the AV will have to try and repair it as the physical DVS files will contain the original item thus including the virus, to be honest there's not a tremendous amount you can do except set your AV policies to notify you then when it comes up you can delete the original via archive explorer or search.asp and thus no longer having the infected item
Then you can either rearchive a non infected version or you can forget it existed
So yes, recalling the item, may clean the recalled version via the AV but the source DVS will be unclean and when the recalled file is turned back to a shortcut and they recall the item again av will have to clean it
I was afraid of that already.
I was afraid of that already. While my av cleans the file, fingerprint wil be different, so EV will see it as a new version. Simular as if you retreive and edit a file. So I will have a clean and a infected version archived.
Would you like to reply?
Login or Register to post your comment.