I received a couple of questions from a reader about cleaning files. I thought the topic might be of interest to more than the reader, so I decided to post and answer the questions here, as well as providing a bit more information. The first question is: When an AV cleans an infected file, why
I received a couple of questions from a reader about cleaning files. I thought the topic might be of interest to more than the reader, so I decided to post and answer the questions here, as well as providing a bit more information.
The first question is:
When an AV cleans an infected file, why that file will be corrupted in most cases?
I’m not sure if in most cases the file will be corrupted, but it can definitely happen and to some extent it depends upon what you call corruption. There are a variety of different types of viruses and methods used to infect files. Depending upon the changes made to the file it may or may not be reasonable to restore the file to the exact state it was in prior to infection. In fact, in the case of macro viruses a document could be infected as it was being created. If by corrupted you mean the file no longer functions as intended, then that doesn’t really happen all that often. In some cases a virus may overwrite enough of the file that it simply cannot be cleaned or restored to its previous state. If a virus is identified, but it is not exactly the same variant as the scanner knows, then disinfection may result in corruption. If the virus is detected by a heuristic, such as a generic signature, then corruption could occur on disinfection.
If by corruption you mean that there is data in the file that wasn’t there before the infection, then that is more common. The point of cleaning the file is to make it functional. If there is residue left that doesn’t affect the functionality of the file it might not be worth the effort to write complete disinfection. The Laroux macro virus always seemed to have residue left behind after disinfection. The only way you would find it is if you looked at the .XLS with a hex editor though.
It is a best practice to restore an infected file from a clean back up whenever possible. You can be assured that the file is not corrupted. As a software publisher it is really bad form to send out files that have virus residue in them. It announces that your work environment is not secure.
The second question asks why some anti-virus products have success in cleaning files and others end up corrupting the files?
I am not certain of the answer, as in I haven’t tested, etc., but I would bet the reason has to do with exact identification. If a product is able to exactly identify the virus then they know exactly how to disinfect the file if it is possible. If the scanner gets the identification wrong, it may detect a virus, but the cleaning routines are not correct for that specific virus. This can result in parts of a file being changed that should not be changed.
Once again, if you replace files with known clean backups, you avoid this problem.
If you have any general security questions feel free to email me at firstname.lastname@example.org. I do not provide product support however.
Director of Technical Education