Resolve malware detection on Volume Shadow Copy
Last Modified: 2023-12-04 10:50:51 Etc/GMT
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Resolve malware detection on Volume Shadow Copy
Technical Articles ID:
KB96427
Last Modified: 2023-12-04 10:50:51 Etc/GMT Environment
Endpoint Security (ENS) Threat Prevention 10.x VirusScan Enterprise 8.8 Summary
This article describes how to tackle issues around malware detection on system file "Volume Shadow Copy."
Cause
Threats found on Volume Shadow Copy. Solution
What is a Volume Shadow Copy? Volume Shadow Copy Service (VSS) is a Windows component that creates and maintains point-in-time snapshots or shadow copies of hard-disk volumes. System Restore uses these shadow copies to revert the system to the last working state in case of a system failure or crash. Volume Shadow Copies are read-only and there's no way to delete individual files from them. As per Microsoft, when you turn on shadow copies on a volume, it's for the whole volume. Every file, including virus-infected files, will be included in the shadow copy volume. Shadow copies are read-only. Therefore, you can't delete files from the shadow copies. You can delete only the whole shadow copy. You can't exclude the shadow copy location from an Anti-Virus real-time scan setting because it's not an actual file location. As the detection has been triggered on a Volume Shadow Copy that's not generally accessible, a full On-demand Scan should be done to ensure all components of a threat have been found and removed. Follow the instructions below to purge the Volume Shadow Copies that may have contained malware at a given point of time that Trellix ENS may have been repeatedly detecting, and due to limited permissions, often fail to remove or clean. Clear Volume Shadow Copies on NOTE: If the More Options tab doesn't appear, click the Clean up System Files button (applies for Windows 10). Windows 7:
|
|