restore files from chest in safe mode

How is it possible to restore quarantined files from the chest while in safe mode?

In the recent false positive episode, I had sent a number of files to the chest, and my computer subsequently just froze on normal start up. I booted into safe mode, thinking that possibly I had quarantined a needed system file. However, in safe mode I was unable to access the chest.

I could see one way would be to open the index file in the chest directory, and from the info there move the correct numbered file from the chest to the proper directory and then rename the file. It seems that this would work, but the the numbered file in the chest seems to have a slightly different size.

Or is it possible while in safe mode to load some driver so that the chest is accessible?

BTW, I finally got my system running by reverting to a recent restore point (why this worked I have no idea, but it did!), and then cleaned up everything after getting the newer virus definition file.

What is this needed system file (not all files in the system folders are needed, nor system files) ?

Whilst I have never tried this, you should certainly be able to test it.

avast doesn’t run in safe mode by default, but by double clicking the avast desktop icon/shortcut (ashAvast.exe) that should start and required services before it runs a memory scan, followed by opening the Simple User Interface to enable you to do a scan. You can access the chest from the SUI menu (right click on the skin).

In order to be able to do a scan and potentially send any detections to the chest; for that to be done then the relevant services would have to be running, so perhaps that would allow you to restore the file.

Thanks DavidR for replying.

I checked it again, and when in safe mode, after Avast is running, on my system at least, if I try to open the chest, I get an error message “Virus Chest server is not running”. So I guess my question comes down to: How can the virus chest server be started in safe mode?

Thanks

As I said I have never tried it so I don’t really know, but I’m surprised as the same service I would have though would be required to send detected files to the chest.

I’m not aware of what service is required to ‘open’ the chest as opposed to send to the chest when in safe mode after a detection.

How did you start avast from safe mode ?

I don’t know what avast services would be running after starting using ashAvast.exe, you could check and see using the run command services.msc this is the main avast service ‘avast! iAVS4 Control Service’ see if it is started.

The tip about looking at services.msc was excellent.

First of all, in safe mode I start Avast by running ashAvast.exe.

In safe mode, the full error message I get when trying to start the chest is: “Virus chest server is not running. PRC communication failed.”

I checked and both in regular boot up and safe mode avast services are running. However, I did also check and there appear to be two RPC services: Remote Procedure Call and Remote Procedure Call Locator. The Locator service is manual start,and when I tried to start it in safe mode I got an error message: “Error 1084: This service cannot be started in safe mode”

I don’t know if that’s the reason that I can’t gt to the chest in safe mode. It would be interesting to see if a different computer gave the same results, or if this is something due to a misconfiguration on my computer.

In any case, this is a bit academic since I did get everything running. However, it would be interesting to know if, in general, the chest is available in safe mode.

Thanks

I don’t believe that is the problem, the RPC service is required and normally an auto start even in safe mode I assume), I don’t believe the RPC Locator is required for the chest to work, as even in Normal mode it isn’t started on my system (looking at services.msc right now).

I would have though that the Chest should be available when avast is started in safe mode, well logic to me would say it should. If files can be sent to the chest as a result of a safe mode scan, logically I would have though you should be able to access the chest if you wanted to reverse that decision.

Unfortunately I’m just an avast user like yourself, although I have a reasonable knowledge of avast, not so when it comes to the technical inner workings, hopefully one of the Alwil team will pick up on this topic.

I agree, it would be great if someone from Avast would respond. Also, if there’s any user out there that’s interested enough to boot to safe mode and see if their behavior is the same.

I would normally happily try things, but I have avoided safe mode for anything like the plague, I hate the way it stuffs up the desktop, etc.

I understand.

When I had the problem the other day, I avoided safe mode as long as I could because in the past it always was so much work straitening up my desktop. I was surprised, after I got things running and did a regular boot, that my desktop came back just as I had left it! - and its repeated that today in the tests I’ve done. That’s never happened before, but this was the first time I’ve gone to safe mode in several years. I have no idea why this behaved like this, or if this is now normal for xp sp3, or I’ve got something on my computer that helped me. But I certainly can’t suggest that if you booted to safe mode it won’t totally screw up your desktop!

I’ve gone into safe mode enough times to know that know that all AV components don’t always work in safe mode. I’m not referring specifically to Avast, but for any AV in safe mode with XP. Maybe this is why you are getting the error messages. Perhaps trying it in safe mode/debug mode might work, but maybe some one from the Avast tech. team can better answer your question?

No, I’m afraid Chest is not available in safe mode, because avast! service isn’t running.

Is it not possible to start whatever service is required manually ?

Or is this a windows safe mode limitation and avast can’t start that service even if it wanted to allow access to the chest ?

It seems strange to me that scans can be done and infected file can be sent to the chest, yet you can’t access the chest.

Which leads me on to Tech’s old chestnut of how do you get something out of the chest if something that you send there means you can’t boot into normal mode and here you are you can’t assess the chest to reverse the process ???

Ah, my original question. Hopefully, igor from Avast will chime back in here in regard to the work around I suggested in my first post: Open the index.xml file in the chest manually, and using the information there find the numbered file in the chest that you want to restore, and where it should be restored, and then manually move it and rename it.

I think you would have a problem in that regard as the files in the chest are encrypted.

I had noticed that the files in the chest (with the numerical name) seem to always be a bit different size than the original file, and I wondered if that could just be due to the name change. But I just did a test and it seems that renaming a file doesn’t in fact change its size (I guess the name information is stored outside of the file itself - I had never thought about this befofe).

So that seems to leave the only work around is to identify the file you want to restore from the index file, and then find the file either on the internet or in an installation disk or cab file.

Hopefully none of us will never need to try this!

The idea of the protected storage area of the chest, that from the outside of the chest, you can’t see the original file name, so couldn’t possibly run it, with the back-up of encryption even if they did manage to figure out what file was what.

That makes sense. Oh well, its been an interesting discussion. Thanks.

I do wonder if avast could make the chest available in safe mode in a future update, or if there’s some inherent limitation that excludes this. igor??

Thanks David.
A boot CD with the needed executables to decrypt the files is needed then (or make the Chest decrypt independent of the avast service, like a standalone crypt/decrypt). BART CD is not an option (due to price).

Thought you might appreciate that :wink: