locked
Antivirus deleting files RRS feed

  • Question

  • I was here on the beta of OneCare, and quit using it when it had deleted my entire Outlook data file--without cleaning, without confirmation, without recovery options--because of a Trojan in one of the e-mails amongst 20,000 others. Two long years later I return to see that OneCare still arbitrarily deletes files without confirmation or quarantine options (or just "leave the file alone" options!).

    To say the least, I am flabbergasted. I don't want to believe this, so despite my frustration, anger, and confidence that this is the case, I will consult the forums. Please forgive me if I troll a little.

    Tune-up ran automatically last night after I installed OneCare yesterday, and I read in the report that 1 infection was found, which was active but locked. To see even the most basic details of this active threat, I had to generate a support log from deep within the options menu. The log generated was off from what the tune-up reported. So I figured maybe virus scan did a separate run of its own (though I am sure this is not the case). I still cannot figure out how to reconcile the difference.

    The support log tells me it REMOVED 4 files, not one, all of which I am sure are clean since they belong to Rosetta Stone. The files are not in the Recycle Bin, in Quarantine, my opinion was not asked. They are GONE. You know what? So is my Rosetta Stone, which is back home.

    Am I blind? Am I missing something?

    1- Is there really no option to tell OneCare to ask for my opinion? To automatically quarantine before deleting, at least?2- Is there really no way to know details of a scan without generating a support log?
    3- Is it really possible that support log is not consistent with the scan reports themselves, and is there no way to see individual details of scans that are informative and consistent with logs?
    4- Did I really pay $50 to Microsoft so that it can effectively block my access to a program worth $500?

    If the answers to all the questions above are YES, I am uninstalling OneCare right away, and steering way waaaaaay off from auxiliary Microsoft products for many more years to come. This level of incompetence is stunning. I am sure there is an MS-speak way of justifying the stupefying level of idiocy in the software's design like "debilitation of 2nd degree user choices for a smoother operating environment" or "self-reciprocating user-friendliness through assisted limitation of use on the user-side". Sadly for the technical overpaid dumb-downers who feel very smart in the process, it does not work.

    Maybe instead of venting, I should just buy a Mac, which I thought was the sugar-coated eye-candy dumbed-down platform that did not let the user make informed, detailed decisions. At least it's pretty!
    Thursday, October 2, 2008 8:35 AM

Answers

  • I would be surprised if the files were completely deleted, but since you experienced the mail issues a few years back, you know that I would still believe it. You can exclude files or folders from being scanned, which is what I'd do if I knew that the file was not infected. And then I'd report this to Microsoft: 

    http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=662566&SiteID=2

    And, yes, you are correct that there is no configuration for what we want the scanner to do when a threat is found. That's coded into the solution per threat. I imagine that it will quarantine when it can, but in some cases, only deletion is possible.

    I'm going to ask someone from the antimalware team for their opinion and comment on this.

    -steve

     

    Thursday, October 2, 2008 1:54 PM
    Moderator

All replies

  • I would be surprised if the files were completely deleted, but since you experienced the mail issues a few years back, you know that I would still believe it. You can exclude files or folders from being scanned, which is what I'd do if I knew that the file was not infected. And then I'd report this to Microsoft: 

    http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=662566&SiteID=2

    And, yes, you are correct that there is no configuration for what we want the scanner to do when a threat is found. That's coded into the solution per threat. I imagine that it will quarantine when it can, but in some cases, only deletion is possible.

    I'm going to ask someone from the antimalware team for their opinion and comment on this.

    -steve

     

    Thursday, October 2, 2008 1:54 PM
    Moderator
  • Thank you Steve for seeing through my anger and giving a helpful reply.

    I am pretty sure the files are removed (the log says "Threat Status" is "
    Removed", and I search the Rosetta Stone directory for the file names in the log and they don't turn up. I cross check with existing file names, and they come up in the search. Since they are nonsensical names like 82fe59623926d35a697c663d90e863e86c93b42b, I cannot be sure what they do.). This is why I cannot submit them to Microsoft

    Since I don't know where a false positive will pop-up, I cannot disable scanning only after the damage is done. If I had the DVDs of Rosetta Stone with me, I would re-install, re-scan, and disable the folders if the problem persisted. I might do that in a couple of months.

    To top it, there is always the lingering possibility that updated databases will re-introduce random deletions. OneCare MUST find a way to effectively deal with this.

    I have two questions

    1- Would it help if I disabled "Also look for virus-like behavior" and "Take automatic actions against software rated Moderate also"? I mean, obviously it would cause the potential deletion rate to drop, but do you think it would impair the tightness of security too much to be useful?

    2- (I think the comments from the antimalware team will answer this) Do you know when only a deletion is possible? Since Rosetta Stone files are nowhere near being system files, I cannot see why Quarantine is not an option. Is it related to the severity of the perceived threat (These were categorized as "Severe" "Exploit"s)?

    Thanks again for your help. Looking forward to your reply.
    Thursday, October 2, 2008 4:42 PM
  • Hey Samael Lightbringer

     

    Is it possible to send the log file. You cna find the log file at below location 

     

    Vista

    1. c:\ProgramData\Microsoft\OneCare Protection\Support\MPLOG*(some file which starts with MPLOG)

     

    XP

    2.      c:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLOG*(some file which starts with MPLOG) (This is if you have win xp)

     

    Note : These are hidden so you have to make sure that you enable show hidden files and folders

     

    Let me know if you face any problem in the above steps

     

    You can email  me the logs at

    montyj@microsoft.com

     

    Thanks

    Thursday, October 2, 2008 5:13 PM
  • Samael Lightbringer,

     

    Please provide some information so we can investigate this issue:

     

     

    a.      OneCare Support data. Steps below

                                                                   i.      Open Windows Explorer and locate the following folder if Windows is installed on the C drive:
    C:\Program Files\Microsoft Windows OneCare Live\

                                                                 ii.      Double click the file named OneCareSupport or OneCareSupport.exe, in XP. (Right click and “Run as Administrator” in case of VISTA).  It will begin to collect the information.

                                                                iii.      When it finishes collecting the information, note the path shown and name of the information file. (Generally, it is C:\OneCareSupportData.zip)

                                                               iv.      Send the OneCareSupportData.zip

                                                                 v.      Please send the zip file to oc-forums@live.com 

     

    Include the post link so that we can verify who you are and what your issues are.

    Please also include the version of Rosetta Stone you are using, as well as the language of the

    software.

     

     

    Thank you,

     

    Lori MS

     

    Thursday, October 2, 2008 6:06 PM
  • Thanks Monty Jain and Lori, I have sent each of you the information you have requested. Please tell me if you don't receive the e-mail.
    Thursday, October 2, 2008 7:40 PM
  • I'm not sure what other communication has taken place, but I received word that the details of the log files revealed that the removed threat was a Flash vulnerability - SWF/CVE-2007-0071!exploit. I'm not sure how that relates to the missing files, though.

    -steve

    Monday, October 6, 2008 9:50 PM
    Moderator