Files Being Deleted With No Way To Recover Them

I'm a new Bitdefender user and am using a trial version of Bitdefender Internet Security 2014 until I can understand and configure it completely. I have 3 concerns at the moment (numbered below), and would like help with them.


I am concerned about the "actions" options are available & not available, and what actually happens, when an infected file is detected.


1. Quarantine is not an option for infected files during a "System Scan", "Quick Scan", or "Custom task".


During the same "System Scan", Bitdefender automatically deleted one file, and asked what to do with two more.


a. The file that was deleted was not in quarantine or the Recycle Bin, thus generally not recoverable. This is bad. I would want some way to recover the file if needed! That is exactly what the quarantine is for, but it wasn't used!


b. Quarantine was not given in the actions of what to do with the other two files.


2. Quarantine is an option for on-access scanning, which I set. I created an Eicar test file, and also zipped that file into a zip file. What happened during on-access scanning doesn't make sense. It properly quarantined the Eicar test file, but blocked access for the zip file instead of quarantining it. Why?


3. That brings up another concern. How do I unblock such a file that Bitdefender has blocked? That option is not given anywhere that I can find. Just like with the irrecoverably deleted file in 1a above, such a file could be important and need to be unblocked.

Comments

  • I'm a new Bitdefender user and am using a trial version of Bitdefender Internet Security 2014 until I can understand and configure it completely. I have 3 concerns at the moment (numbered below), and would like help with them.


    I am concerned about the "actions" options are available & not available, and what actually happens, when an infected file is detected.


    1. Quarantine is not an option for infected files during a "System Scan", "Quick Scan", or "Custom task".


    During the same "System Scan", Bitdefender automatically deleted one file, and asked what to do with two more.


    a. The file that was deleted was not in quarantine or the Recycle Bin, thus generally not recoverable. This is bad. I would want some way to recover the file if needed! That is exactly what the quarantine is for, but it wasn't used!


    b. Quarantine was not given in the actions of what to do with the other two files.


    2. Quarantine is an option for on-access scanning, which I set. I created an Eicar test file, and also zipped that file into a zip file. What happened during on-access scanning doesn't make sense. It properly quarantined the Eicar test file, but blocked access for the zip file instead of quarantining it. Why?


    3. That brings up another concern. How do I unblock such a file that Bitdefender has blocked? That option is not given anywhere that I can find. Just like with the irrecoverably deleted file in 1a above, such a file could be important and need to be unblocked.


    This is only my opnion based upon my understanding of how BDIS works with regard to scanning, malware detection and processing. Someone else should be along later that can address your concerns and correct any misunderstanding I have written below.


    I highly recommend you read the BDIS 2014 User Guide. It should address your concerns. Bitdefender will automatically delete or quarantine files during scanning depending on the characteristics of the file, where it was located eg in an archive and whether the file was detected as malware via virus signature or heuristics. While there is a chance that BD will auto delete a FP the chances of that happening are very very small and would most likely only happen if the file was very old rarely used by anyone and was in an archive. Again I strongly suggest you read or reread the User Guilde. Questions not clarified there can of course be re-asked here.

  • Well, I spent more time testing and looking closer at the program. I also re-read the manual for the third time. I understand more now.


    Overall, Bitdefender appears to me to be confusing. It is also inconsistent or faulty in it's functioning.


    It appears that "Take proper actions" is the default actions for on-demand scans. Whether it deletes or quarantines a file seems to be unfathomable, though. My Eicar test file and a zip file containing it, were deleted. A .7z (another type of archive file), containing the Eicar test file was quarantined. This is both confusing and inconsistent.


    I discovered that the deleted files are recoverable, but you have to search the virus scan event logs for them. Every deleted or quarantined file event is listed separately from the event for the particular scan that was run. I don't understand why some files are deleted and some are quarantined. It would be easier if they were only quarantined, not deleted. Then it would be easier to find and recover those files.


    The lack of choice to quarantine files after an on-demand scan is not given because is it supposed to be part of "take proper actions". Why, at this point, "take proper actions" is given as an option here, when it was supposedly done in the first place, is beyond me. It's confusing.


    On-access scanning again blocked my zip file that contains the Eicar test file. I have no idea why it blocked the zip file when my options for on-access scanning are set to "Move files to quarantine". In the event log it says the file was blocked, but there is no option to unblock or recover it. That is bad.


    A later system scan by Bitdefender unblocked the zip file, and emptied it of the Eicar test file. Which is strange. First that it unblocked the file, and also the fact that it left an empty zip file when the user manual says it shouldn't.


    ..


    It would be easier if:


    A. Bitdefender just quarantined files, not delete them. That way it would be easier to track down those files from the event log or quarantine, and recover them if needed.


    B. Recovering quarantined (or deleted), files could be done from a window that shows the results of the scan performed that quarantined or deleted the files.


    C. Creating a scan exclusion could be a choice at the time a file is recovered from quarantine (or recovered from deleting).


    D. Allow use of the keyboard to select & scroll through event log events (ie. Arrow Up, Arrow Down, Page Up, Page Down, Home, End).


    E. All Bitdefender windows could be maximized. This would be especially useful for event log windows, because they currently only show four events without scrolling.


    ..


    Another confusion has come up. Two "system scans", two days apart, produced two different results on the same files that were present both times. Since the settings of the "system scan" are not configurable, this doesn't make sense.


    The second "system scan" found many viruses in an archive file that contained old e-mails. The first "system scan" did not. The archive file and it's contents were many years old, so it is extremely unlikely that the virus definitions changed for those old viruses in between those two scans.

  • I forgot to mention that I'm seeing these issues on Windows 7, 64 bit. I'm also testing on Windows 8, 32 bit, but not as much.

  • error-id10t
    edited April 2014

    Yeap, agree and I've posted the same thing previously.


    For me it's only been 2 specific programs and though my option was to guarantee them, this didn't happen - instead they got deleted, there were no events to show this nor could I find them anywhere. I only knew because the pop-up told me that's what happened.


    After they get deleted, if you try and download the same program to the exact same place - the file will be missing and/or you cannot launch it. Somehow BD is "protecting" (read: stopping) that. However, download it to another place and now it works (of course, BD will do the same thing again and delete the file).

  • In order to make things simpler, I'm going to abandon this topic/thread, and will create separate topics for the separate issues I have.

  • I assume that what happens with the Eicar test file will happen with other detections. So I created archive files of different types using 7-Zip, each containing only "Test.txt", which contained the Eicar text.


    Using both System Scan, and Contextual Scan: Take Proper Actions.


    ZIP file and TAR files are deleted, with no events in the event log. Thus the files are not recoverable.


    The inability to recover said files is unacceptable. In the case of a false positive, it would be disastrous.


    Am I wrong and these files really are recoverable? Why is this happening?


    --> Bitdefender Internet Security 2014, Windows 7, 64 bit.

  • Why does Bitdefender delete some files and quarantine others?


    From a user standpoint, it would be easier if files were only quarantined. That way it would be easier to recover files, because they would ALL appear in Quarantine.


    From a developer standpoint, it appears that not all quarantined files are sent to Bitdefender for evaluation, so there is no reason why all detections shouldn't be quarantined.


    Does the company plan to change this?


    --> Bitdefender Internet Security 2014, Windows 7, 64 bit.

  • It has been a week since I posted this, and no response from the company. This issue and the others I brought up are unacceptable.


    I am now giving up on Bitdefender and am moving on in my search for a security suite for myself, my family members, and my clients.

  • Why does Bitdefender delete some files and quarantine others?


    From a user standpoint, it would be easier if files were only quarantined. That way it would be easier to recover files, because they would ALL appear in Quarantine.


    From a developer standpoint, it appears that not all quarantined files are sent to Bitdefender for evaluation, so there is no reason why all detections shouldn't be quarantined.


    Does the company plan to change this?


    --> Bitdefender Internet Security 2014, Windows 7, 64 bit.


    I was reading the user guide earlier and it seems that the default setting = "take proper action" is:


    Infected Files = disinfection. If file cannot be disinfected it will be quarantined or if BD says it's entirely malicious = delete.


    Suspicious files = move to quarantine. Send to BD Labs for analysis.


    Archives containing infected files


    - archive with only infected files = delete automatically


    - archive with clean and infected files = disinfect / reconstruct (you will be informed


    that no action can be taken so as to avoid losing clean files)


    Mine is set to quarantine so I know what is detected so I can check via Malwarebytes or VirusTotal.


    0Vlpjoh.png


    So if left in default, BD will take the proper action which is stated above just as the OP was stating "delete some files and quarantine others".


    Some excerpts from Bitdefender Internet Security User's Guide / Publication date 08/12/2013



    Antivirus protection_page 69


    When it detects a virus or other malware, Bitdefender will automatically attempt to


    remove the malware code from the infected file and reconstruct the original file.


    This operation is referred to as disinfection. Files that cannot be disinfected are


    moved to quarantine in order to contain the infection. For more information, please


    refer to “Managing quarantined files” (p. 86).....



    Antivirus protection_page 73-74


    The following actions can be taken by the real time protection in Bitdefender:


    Take proper actions


    Bitdefender will take the recommended actions depending on the type of


    detected file:


    Infected files. Files detected as infected match a malware signature in the


    Bitdefender Malware Signature Database. Bitdefender will automatically


    attempt to remove the malware code from the infected file and reconstruct


    the original file. This operation is referred to as disinfection.


    Files that cannot be disinfected are moved to quarantine in order to contain


    the infection. Quarantined files cannot be executed or opened; therefore, the


    risk of getting infected disappears. For more information, please refer to


    “Managing quarantined files” (p. 86).


    Important


    For particular types of malware, disinfection is not possible because the


    detected file is entirely malicious. In such cases, the infected file is deleted


    from the disk.


    Suspicious files. Files are detected as suspicious by the heuristic analysis.


    Suspicious files cannot be disinfected, because no disinfection routine is


    available. They will be moved to quarantine to prevent a potential infection.


    By default, quarantined files are automatically sent to Bitdefender Labs in


    order to be analyzed by the Bitdefender malware researchers. If malware


    presence is confirmed, a signature is released to allow removing the malware.


    Archives containing infected files.


    ▶ Archives that contain only infected files are deleted automatically.


    ▶ If an archive contains both infected and clean files, Bitdefender will attempt


    to delete the infected files provided it can reconstruct the archive with the


    clean files. If archive reconstruction is not possible, you will be informed


    that no action can be taken so as to avoid losing clean files.


    Move files to quarantine


    Moves detected files to quarantine. Quarantined files cannot be executed or


    opened; therefore, the risk of getting infected disappears. For more information,


    please refer to “Managing quarantined files” (p. 86).


    Deny access


    In case an infected file is detected, the access to this will be denied.