2

I understand that most antiviruses by default quarantine infected files. I have changed it to remove all infected files immediately. Would this cause more harm than good?

Anders
  • 64,406
  • 24
  • 178
  • 215
Jay
  • 535
  • 5
  • 12
  • 1
    Related: [Can AV software make sure quarantined files never get executed?](https://security.stackexchange.com/q/129097/32746) – WhiteWinterWolf Jul 07 '16 at 20:55

2 Answers2

7

I choose for quarantine because of false positives: the AV software can incorrectly flag a file as maliciuous or unwanted.

If it's quarantined, you can retrieve if from the quarantine and usually tell the AV to ignore the file from then on.
You could not do that if the file has been deleted.

  • I guess in business environments false positives would be common (because of custom software) but for home users would it be better to set it to remove the infected files immediately? – Jay Aug 03 '14 at 04:40
  • @Jay No. You have no advantage removing them immediately. They don't do any harm in quarantine. And you still have the optional disadvantage I described. 'Home user' is too broad a definition. There are e.g. utilities you may want to download that trigger the AV. Not often, but I had them. –  Aug 03 '14 at 14:17
  • So when should you choose the default remove option? According to the help page for MSE (http://windows.microsoft.com/en-us/windows/understanding-alert-levels) it says that threats identified as high or severe should be removed immediately. What alert levels would the utilities trigger? – Jay Aug 04 '14 at 09:25
2

An excellent question, from previous experience a virus rewrote my Windows bootloader and the virus was remove later by my antivirus, consequently leaving the OS unbootable. Quarantining virus/malware is more advisable in my opinion due to if the file needs to be recovered later it can.

The idea of quarantine is like ("trapping a zombie in a jail") e.g. the antivirus will store the virus in it's likely encrypted folder where ONLY the antivirus can read it. To answer your question, yes it could cause more harm removing the files immediately (The virus infections could be root/admin level).

safesploit
  • 1,827
  • 8
  • 18
  • 2
    If the virus rewrote the bootloader, and somehow the system couldn't boot without that virus, wouldn't moving the file with the virus have prevented the system from booting, as well? How do antiviruses deal with this, where lower-level system components rely on (possibly) infected files to function? – trysis Aug 03 '14 at 02:01
  • Did the AV remove the virus from the bootloader or did it remove the bootloader? You also said it rewrote the bootloader so there's nothing that the AV can do to recover it. – Jay Aug 03 '14 at 04:33