Thread: Does Rollback Rx prevent Safesys virus ?
View Single Post
  #10 (permalink)  
Old 09-01-2010, 05:39 PM
nexstar nexstar is offline
Senior Member
  
Join Date: Feb 2009
Posts: 361
Default
Hi frozen.bit and welcome to the forum .

Quote:
Originally Posted by frozen.bit View Post
So, I advice you not to use Rollback without any Antivirus.
When you use kaspersky or other adequate antivirus, every time you execute safesys file, they will stop and prevent your computer form damage caused by that virus....
I'm not sure that the OP was suggesting running without AV protection. At least, I didn't interpret it that way. I think they just wanted to know if RB would protect them from the SafeSys virus should their AV fail to. I certainly wouldn't think about running without NOD32 unless I was testing something....like SafeSys .

The interesting thing to me was how our results differed and so I thought I'd repeat the test to see if I'd missed something.

I wiped a hard drive and installed a fresh copy of Windows 7 onto it. Apart from a few drivers, the only software I installed was NOD32, Anti-MalwareBytes, WinRar and RollBack v9.1. I took a snapshot before unpacking SafeSys and then disabled NOD32. I ran the executables in the SafeSys package and then scanned with Anti-MalwareBytes. The scan came up with 132 infections which were mostly in the registry. I didn't clean any of the infections and so I then restored using RollBack to the previous snapshot I'd taken.

On rebooting, NOD32 picked up and quarantined an infected autorun.inf file which was on my D: drive. My D: drive wasn't protected by RB and so hadn't been restored. I did another scan of the C: drive with Anti-MalwareBytes and it didn't find any infections. I then did a further scan of all partitions with NOD32 and it picked up another instance of SafeSys.exe on the unprotected D: drive.

So, whilst I still wouldn't recommend RB to replace antivirus software, it does seem to have been able to clean up after SafeSys which does look as though it was targeted at software which stored its changes in memory. I just don't understand why your experience was different unless I'm missing something here. Always possible .

Did you have all partitions protected by RB and how many physical drives do you have installed?

Graham
Reply With Quote