Delete virus or store in chest?
-
jmt356
- SilverLounger
- Posts: 2392
- Joined: 28 Mar 2010, 01:49
Delete virus or store in chest?
If an antivirus program finds a virus on a computer, would you recommend deleting it or putting it in the “chest” (quarantine)? I would assume deleting it would be safer as some viruses may be clever enough to escape the chest. The antivirus program is Avast Free edition, which says "there is no danger in storing viruses there [in the chest]." Is this trustworthy?
Regards,
JMT
JMT
-
StuartR
- Administrator
- Posts: 12628
- Joined: 16 Jan 2010, 15:49
- Location: London, Europe
Re: Delete virus or store in chest?
Generally it is better to delete infected files, rather than quarantine them. You can then restore a clean copy of the file from your backups.
Sometimes anti-virus software will mistakenly identify a clean file as having a virus. When this happens there is usually an update within a day or two that corrects the problem. So it might make sense to store things in the "chest" for a few days before deleting them, just in case they are not really infected.
Sometimes anti-virus software will mistakenly identify a clean file as having a virus. When this happens there is usually an update within a day or two that corrects the problem. So it might make sense to store things in the "chest" for a few days before deleting them, just in case they are not really infected.
StuartR
-
Argus
- GoldLounger
- Posts: 3081
- Joined: 24 Jan 2010, 19:07
Re: Delete virus or store in chest?
I would say that generally it is better to quarantine suspicious files, if possible, than delete them; until one knows if there are recent backup copies; if it's indeed a virus etc.
However, sometimes it's pretty obvious that it is something that shouldn't be there, for example odd files on an USB memory that you didn't put there (and no one else in the family, at the work, did
).
Since it many times is difficult to clean files, and many times the AV software doesn't offer that as an option, it's far better to restore a clean copy, and I agree with Stuart on this. This may lead to the conclusion that there's no need for a virus vault, quarantine. But there is difference between how to act on an alert and how to solve something.
If not using the quarantine there will be no samples to send to the AV company (if one would like to do that); there will also be a small risk that it was a false positive, and thus could have been restored later on, and then if you don't have a recent backup, data is lost.
As mentioned, updated definition files might say it's not a virus, but updated AV files could also be more capable in "healing" files, cleaning them, if they do contain a virus. But the praxis seems to be to delete & restore, and that makes sense, it's far easier, and many times the only option.
On the other hand, sometimes the quarantine procedure doesn't work. If the file is too big for the quarantine it will be deleted, either automatically or the user will be asked what to do, depending on the AV settings. Since you mentioned Avast, I had a look the other day at a test installation of their free version; it seems like they have two settings, one for the size of the virus vault, and one for the individual files; I don't know what would be the best settings in that case, it depends on the context.
To answer your question, is this trustworthy, I would say yes. During all the years we have seen AV software with virus vaults I’ve never heard of case where some malware has escaped "the chest". Not only would it have to escape from the vault, and become viral again, it would have to morph into something else; otherwise it would be detected once again.
I wrote about one, rare, experience of false positives here.
However, sometimes it's pretty obvious that it is something that shouldn't be there, for example odd files on an USB memory that you didn't put there (and no one else in the family, at the work, did
).Since it many times is difficult to clean files, and many times the AV software doesn't offer that as an option, it's far better to restore a clean copy, and I agree with Stuart on this. This may lead to the conclusion that there's no need for a virus vault, quarantine. But there is difference between how to act on an alert and how to solve something.
If not using the quarantine there will be no samples to send to the AV company (if one would like to do that); there will also be a small risk that it was a false positive, and thus could have been restored later on, and then if you don't have a recent backup, data is lost.
As mentioned, updated definition files might say it's not a virus, but updated AV files could also be more capable in "healing" files, cleaning them, if they do contain a virus. But the praxis seems to be to delete & restore, and that makes sense, it's far easier, and many times the only option.
On the other hand, sometimes the quarantine procedure doesn't work. If the file is too big for the quarantine it will be deleted, either automatically or the user will be asked what to do, depending on the AV settings. Since you mentioned Avast, I had a look the other day at a test installation of their free version; it seems like they have two settings, one for the size of the virus vault, and one for the individual files; I don't know what would be the best settings in that case, it depends on the context.
To answer your question, is this trustworthy, I would say yes. During all the years we have seen AV software with virus vaults I’ve never heard of case where some malware has escaped "the chest". Not only would it have to escape from the vault, and become viral again, it would have to morph into something else; otherwise it would be detected once again.
I wrote about one, rare, experience of false positives here.
Byelingual When you speak two languages but start losing vocabulary in both of them.