How to purge the Shadow Volume Copy after a malware infection

  • Article ID: 114422
  • Rating:
  • 2 customers rated this article 3.0 out of 6
  • Updated: 27 Feb 2013
This guide will instruct you how to clear the Windows Shadow Volume Copy following a malware infection.

Operating systems

  • Windows Server 2003
  • Windows Server 2008

What To Do

Before running through these steps you should clear the virus alert from your quarantine via Sophos Endpoint Security and Control.
To clear the Shadow volume copy:

  • Windows Server 2003
    1. Click 'Start --> MyComputer'
    2. Right click on 'Local Disk C' and select 'Properties'
    3. Select the tab 'Shadow Copies'
    4. Click 'C:\' and then Click 'Disable'
    5. Confirm any warning messages
    6. Reboot the server

  • Windows Server 2008/2012
    1. Click 'Start --> MyComputer'
    2. Right click on 'Local  Disk C' and select 'Configure Shadow Copies'
    3. Accept any alerts from Windows UAC
    4. Click 'C:\' and then Click 'Disable'
    5. Confirm any warning messages
    6. Reboot the server

Once the system has rebooted then please run a full system scan to check for the infection. When the system has been confirmed clean then the disabled shadow copy can be re-enabled.

On occasions the detection exists but the Windows shadow copies are not enabled. You should check for any non-Microsoft backup utilities for example 'Backup Exec'. When using third party backup software then you should contact the software vendor for instructions purging the restore.

If no third party application is used you can try enabling the backups to create a restore point and then proceed with the above steps to purge the shadow copy.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments