Avast Restore File From Vault

Posted on

Hi, all my files stored in my usb have been infected and avg moved them to virus vault. When I try to restore them they appear as an link back in m. The photos do not get deleted even if the Avast Mobile Security is uninstalled and you may restore the photos from inside the app (Photo Vault - '+' button - Restore previous vault) Photo Vault requires 'Storage' permission; Photo Vault.


Azure Backup provides the capability to restore Azure virtual machines (VMs) and disks from Azure VM backups, also known as recovery points. This article explains how to recover files and folders from an Azure VM backup. Restoring files and folders is available only for Azure VMs deployed using the Resource Manager model and protected to a Recovery Services vault.


This feature is available for Azure VMs deployed using the Resource Manager model and protected to a Recovery Services vault.File recovery from an encrypted VM backup isn't supported.

Step 1: Generate and download script to browse and recover files

To restore files or folders from the recovery point, go to the virtual machine and perform the following steps:

  1. Sign in to the Azure portal and in the left pane, select Virtual machines. From the list of virtual machines, select the virtual machine to open that virtual machine's dashboard.

  2. In the virtual machine's menu, select Backup to open the Backup dashboard.

  3. In the Backup dashboard menu, select File Recovery.

    The File Recovery menu opens.

  4. From the Select recovery point drop-down menu, select the recovery point that holds the files you want. By default, the latest recovery point is already selected.

  5. Select Download Executable (for Windows Azure VMs) or Download Script (for Linux Azure VMs, a python script is generated) to download the software used to copy files from the recovery point.

    Azure downloads the executable or script to the local computer.

    To run the executable or script as an administrator, it's suggested you save the downloaded file to your computer.

  6. The executable or script is password protected and requires a password. In the File Recovery menu, select the copy button to load the password into memory.

Step 2: Ensure the machine meets the requirements before executing the script

After the script is successfully downloaded, make sure you have the right machine to execute this script. The VM where you are planning to execute the script, should not have any of the following unsupported configurations. If it does, then choose an alternate machine preferably from the same region that meets the requirements.

Dynamic disks

You can't run the executable script on the VM with any of the following characteristics:

  • Volumes that span multiple disks (spanned and striped volumes).
  • Fault-tolerant volumes (mirrored and RAID-5 volumes) on dynamic disks.

Windows Storage Spaces

You cannot run the downloaded executable on the VM that is configured for Windows Storage Spaces.

Download free wrinkle free patch treatments software

Virtual machine backups having large disks

If the backed-up machine has large number of disks (>16) or large disks (> 4 TB each) it's not recommended to execute the script on the same machine for restore, since it will have a significant impact on the VM. Instead it's recommended to have a separate VM only for file recovery (Azure VM D2v3 VMs) and then shut it down when not required.

Step 3: OS requirements to successfully run the script

The VM on which you want to run the downloaded script must meet the following requirements.

For Windows OS

The following table shows the compatibility between server and computer operating systems. When recovering files, you can't restore files to a previous or future operating system version. For example, you can't restore a file from a Windows Server 2016 VM to Windows Server 2012 or a Windows 8 computer. You can restore files from a VM to the same server operating system, or to the compatible client operating system.

Server OSCompatible client OS
Windows Server 2019Windows 10
Windows Server 2016Windows 10
Windows Server 2012 R2Windows 8.1
Windows Server 2012Windows 8
Windows Server 2008 R2Windows 7

For Linux OS

In Linux, the OS of the computer used to restore files must support the file system of the protected virtual machine. When selecting a computer to run the script, ensure the computer has a compatible OS, and uses one of the versions identified in the following table:

Linux OSVersions
Ubuntu12.04 and above
CentOS6.5 and above
RHEL6.7 and above
Debian7 and above
Oracle Linux6.4 and above
SLES12 and above
openSUSE42.2 and above

Avast Restore File From Vault Backup


We've found some issues in running the file recovery script on machines with SLES 12 SP4 OS and we're investigating with the SLES team.Currently, running the file recovery script is working on machines with SLES 12 SP2 and SP3 OS versions.

The script also requires Python and bash components to execute and connect securely to the recovery point.

bash4 and above
python2.6.6 and above
.NET4.6.2 and above
TLS1.2 should be supported

Step 4: Access requirements to successfully run the script

If you run the script on a computer with restricted access, ensure there's access to:

  • download.microsoft.com
  • Recovery Service URLs (GEO-NAME refers to the region where the Recovery Services vault resides)
    • https://pod01-rec2.GEO-NAME.backup.windowsazure.com (For Azure public regions)
    • https://pod01-rec2.GEO-NAME.backup.windowsazure.cn (For Azure China 21Vianet)
    • https://pod01-rec2.GEO-NAME.backup.windowsazure.us (For Azure US Government)
    • https://pod01-rec2.GEO-NAME.backup.windowsazure.de (For Azure Germany)
  • Outbound ports 53 (DNS), 443, 3260


The script file you downloaded in step 1 above will have the geo-name in the name of the file. Use that geo-name to fill in the URL. The downloaded script name will begin with: 'VMname'_'geoname'_'GUID'.
So for example, if the script filename is ContosoVM_wcus_12345678, the geo-name is wcus and the URL would be:

For Linux, the script requires 'open-iscsi' and 'lshw' components to connect to the recovery point. If the components don't exist on the computer where the script is run, the script asks for permission to install the components. Provide consent to install the necessary components.

The access to download.microsoft.com is required to download components used to build a secure channel between the machine where the script is run and the data in the recovery point.

Step 5: Running the script and identifying volumes

For Windows

After you meet all the requirements listed in Step 2, Step 3 and Step 4, copy the script from the downloaded location (usually the Downloads folder), right-click the executable or script and run it with Administrator credentials. When prompted, type the password or paste the password from memory, and press Enter. Once the valid password is entered, the script connects to the recovery point.

When you run the executable, the operating system mounts the new volumes and assigns drive letters. You can use Windows Explorer or File Explorer to browse those drives. The drive letters assigned to the volumes may not be the same letters as the original virtual machine. However, the volume name is preserved. For example, if the volume on the original virtual machine was 'Data Disk (E:)', that volume can be attached on the local computer as 'Data Disk ('Any letter':). Browse through all volumes mentioned in the script output until you find your files or folder.

For backed-up VMs with large disks (Windows)

If the file recovery process hangs after you run the file-restore script (for example, if the disks are never mounted, or they're mounted but the volumes don't appear), perform the following steps:

  1. Ensure that the OS is WS 2012 or higher.

  2. Ensure the registry keys are set as suggested below in the restore server and make sure to reboot the server. The number beside the GUID can range from 0001-0005. In the following example, it's 0004. Navigate through the registry key path until the parameters section.

For Linux

For Linux machines, a python script is generated. Download the script and copy it to the relevant/compatible Linux server. You may have to modify the permissions to execute it with chmod +x <python file name>. Then run the python file with ./<python file name>.

In Linux, the volumes of the recovery point are mounted to the folder where the script is run. The attached disks, volumes, and the corresponding mount paths are shown accordingly. These mount paths are visible to users having root level access. Browse through the volumes mentioned in the script output.

For backed-up VMs with large disks (Linux)**

If the file recovery process hangs after you run the file-restore script (for example, if the disks are never mounted, or they're mounted but the volumes don't appear), perform the following steps:

  1. In the file /etc/iscsi/iscsid.conf, change the setting from:
    • node.conn[0].timeo.noop_out_timeout = 5 to node.conn[0].timeo.noop_out_timeout = 120
  2. After making the above changes, rerun the script. If there are transient failures, ensure there is a gap of 20 to 30 minutes between reruns to avoid successive bursts of requests impacting the target preparation. This interval between re-runs will ensure the target is ready for connection from the script.
  3. After file recovery, make sure you go back to the portal and select Unmount disks for recovery points where you weren't able to mount volumes. Essentially, this step will clean any existing processes/sessions and increase the chance of recovery.

LVM/RAID arrays (For Linux VMs)

In Linux, Logical Volume Manager (LVM) and/or software RAID Arrays are used to manage logical volumes over multiple disks. If the protected Linux VM uses LVM and/or RAID Arrays, you can't run the script on the same VM.
Instead run the script on any other machine with a compatible OS and which supports the file system of the protected VM.
The following script output displays the LVM and/or RAID Arrays disks and the volumes with the partition type.

To bring these partitions online, run the commands in the following sections.

For LVM partitions

Once the script is run, the LVM partitions are mounted in the physical volume(s)/disk(s) specified in the script output. The process is to

  1. Get the unique list of volume group names from the physical volumes or disks
  2. Then list the logical volumes in those volume groups
  3. Then mount the logical volumes to a desired path.
Listing volume group names from physical volumes

To list the volume group names:

This command will list all physical volumes (including the ones present before running the script), their corresponding volume group names, and the volume group's unique user IDs (UUIDs). A sample output of the command is shown below.

The first column (PV) shows the physical volume, the subsequent columns show the relevant volume group name, format, attributes, size, free space, and the unique ID of the volume group. The command output shows all physical volumes. Refer to the script output and identify the volumes related to the backup. In the above example, the script output would have shown /dev/sdf and /dev/sdd. And so, the datavg_db volume group belongs to script and the Appvg_new volume group belongs to the machine. The final idea is to make sure a unique volume group name should have one unique ID.

Duplicate Volume groups

There are scenarios where volume group names can have 2 UUIDs after running the script. It means that the volume group names in the machine where the script is executed and in the backed-up VM are the same. Then we need to rename the backed-up VMs volume groups. Take a look at the example below.

The script output would have shown /dev/sdg, /dev/sdh, /dev/sdm2 as attached. So, the corresponding VG names are Appvg_new and rootvg. But the same names are also present in the machine's VG list. We can verify that one VG name has two UUIDs.

Now we need to rename VG names for script-based volumes, for example: /dev/sdg, /dev/sdh, /dev/sdm2. To rename the volume group, use the following command

Now we have all VG names with unique IDs.

Active volume groups

Make sure that the Volume groups corresponding to script's volumes are active. The following command is used to display active volume groups. Check whether the script's related volume groups are present in this list.

Otherwise, activate the volume group by using the following command.

Listing logical volumes within Volume groups

Once we get the unique, active list of VGs related to the script, then the logical volumes present in those volume groups can be listed using the following command.

This command displays the path of each logical volume as 'LV Path'.

Mounting logical volumes

To mount the logical volumes to the path of your choice:


Don't use 'mount -a'. This command mounts all devices described in '/etc/fstab'. This might mean duplicate devices can get mounted. Data can be redirected to devices created by a script, which don't persist the data, and so might result in data loss.

For RAID arrays

The following command displays details about all raid disks:

The relevant RAID disk is displayed as /dev/mdm/<RAID array name in the protected VM>

Use the mount command if the RAID disk has physical volumes:

If the RAID disk has another LVM configured in it, then use the preceding procedure for LVM partitions but use the volume name in place of the RAID Disk name.

Step 6: Closing the connection

After identifying the files and copying them to a local storage location, remove (or unmount) the additional drives. To unmount the drives, on the File Recovery menu in the Azure portal, select Unmount Disks.


Once the disks have been unmounted, you'll receive a message. It may take a few minutes for the connection to refresh so that you can remove the disks.

In Linux, after the connection to the recovery point is severed, the OS doesn't remove the corresponding mount paths automatically. The mount paths exist as 'orphan' volumes and are visible, but throw an error when you access/write the files. They can be manually removed. The script, when run, identifies any such volumes existing from any previous recovery points and cleans them up upon consent.


Make sure that the connection is closed after the required files are restored. This is important, especially in the scenario where the machine in which the script is executed is also configured for backup. If the connection is still open, the subsequent backup might fail with the error 'UserErrorUnableToOpenMount'. This happens because the mounted drives/volumes are assumed to be available and when accessed they might fail because the underlying storage, that is, the iSCSI target server may not available. Cleaning up the connection will remove these drives/volumes and so they won't be available during backup.


This section discusses the various security measures taken for the implementation of file recovery from Azure VM backups.

Feature flow

This feature was built to access the VM data without the need to restore the entire VM or VM disks and with the minimum number of steps. Access to VM data is provided by a script (which mounts the recovery volume when run as shown below) and it forms the cornerstone of all security implementations:

Security implementations

Select Recovery point (who can generate script)

The script provides access to VM data, so it's important to regulate who can generate it in the first place. You need to sign in into the Azure portal and be Azure RBAC authorized to generate the script.

File recovery needs the same level of authorization as required for VM restore and disks restore. In other words, only authorized users can view the VM data can generate the script.

The generated script is signed with the official Microsoft certificate for the Azure Backup service. Any tampering with the script means the signature is broken, and any attempt to run the script is highlighted as a potential risk by the OS.

Mount Recovery volume (who can run script)

Only an Admin can run the script and it should run in elevated mode. The script only runs a pre-generated set of steps and doesn't accept input from any external source.

To run the script, a password is required that's only shown to the authorized user at the time of generation of script in the Azure portal or PowerShell/CLI. This is to ensure the authorized user who downloads the script is also responsible for running the script.

Browse files and folders

To browse files and folders, the script uses the iSCSI initiator in the machine and connects to the recovery point that's configured as an iSCSI target. Here you can imagine scenarios where one is trying to imitate/spoof either/all components.

We use a mutual CHAP authentication mechanism so that each component authenticates the other. This means it's extremely difficult for a fake initiator to connect to the iSCSI target and for a fake target to be connected to the machine where the script is run.

The data flow between the recovery service and the machine is protected by building a secure TLS tunnel over TCP (TLS 1.2 should be supported in the machine where script is run).

Any file Access Control List (ACL) present in the parent/backed up VM is preserved in the mounted file system as well.

The script gives read-only access to a recovery point and is valid for only 12 hours. If you wish to remove the access earlier, then sign into Azure portal/PowerShell/CLI and perform unmount disks for that particular recovery point. The script will be invalidated immediately.

Next steps

  • Learn how to restore files via PowerShell
  • Learn how to restore files via Azure CLI
  • After VM is restored, learn how to manage backups

Avast Antivirus deleted my files” — these words are frequently heard from many PC users . A single file deleted by mistake can result in a total loss of use of recently installed software. And what if you cannot reinstall?

Before we tell you how to recover these files, let us find out what is an antivirus, how it works and why it can suddenly block any file without obvious reasons.

An antivirus is a computer protection tool designed to eliminate potential threats such as computer viruses, malware and malicious encrypting tools. Some malware may inject deep inside the system and modify its so that your computer’s normal functionality is affected.

Computer scanning is a powerful method of identifying malicious and potentially unwanted programs that may interfere with the normal functionality of the computer.

How malicious files are detected by the antivirus?
Simple signature search aside, modern antiviruses rely on heuristics to discover programs that may integrate potentially dangerous code. Because of heuristics, the antivirus may designate as malware just about any program that includes functions with unusual (and potentially dangerous) system calls.

This way the antivirus differentiates a malicious file from a general document that has nothing to do with the computer’s normal operation. Due to this reason, sometimes a harmless file may be recognized as a malicious one even if it does not pose a real threat.


What is Avast Antivirus?

Avast is a Czech Company specializing in the development of security-related software. With more than 400 million users all over the world and for many years on the market, Avast has maintained its strong position among antivirus vendors on the market.
Being a technological leader in antivirus tools, Avast Free Antivirus takes the honorable first place in sales of antivirus software with a market share of 20.5% for June, 2017.
If you are still looking for reliable antivirus protection capable of neutralizing almost every threat, Avast would be a valuable investment in your cyber cecurity.

How to activate/deactivate Avast Antivirus

In some cases, you may want to temporarily deactivate the antivirus. This is how to do it.

1. Start the Avast Free Antivirus application.

2. Open Menu tab and go to Settings.

3. Open Components.

4. In Sequrity section you will find a list of available antivirus settings. Switch them on or off as required.

Main functions of Avast Antivirus. Quarantine.

Remove Avast Files

Avast Antivirus settings are divided into several sections.

  • Status: In this section you can scan the computer and discover its state (infected or not).
  • Protection: Lists settings related to cyber security.
  • Privacy: Settings related to confidentiality of your private information.
  • Performance: Allows adjusting Avast for low-performance environments or to reduce the consumption of resources by the antivirus when playing games.

Along with PC scanning, one of the most important settings is Quarantine. This is critically important, and this is the only place where an antivirus program can relocate the “neutralized” files to. Usually, quarantined files are not subject to immediate deletion unless Avast discovers a specific threat for the system. These files are deposited into a specialized storage for further assessment by the device administrator.

How do you find the Avast Free Antivirus quarantine section?

1. Start the application.

2. Open Protection section and chose Virus Chest.

3. A window listing the neutralized threats will show up.

You can always add a malicious file to Antivirus quarantine manually if the application is unable to detect the threat in automatic mode. Extreme cation shall be taken when making this action on files with hidden or system attributes so as not to impair the Windows system operation.

How an exclusion can be added to Avast Antivirus

It may happen that Avast Antivirus blocks a random file that does not pose a real threat to your system. Why can this happen? The answer is simple: an antivirus may consider a file that may somehow affect the system’s operation to be a potential threat.

While this is done with good intentions, it is not always possible to control the process other than making file exclusions. To exclude files or folders from quarantine, follow these steps:

1. Start the Avast Antivirus.

2. Open Menu tab and go to Settings.

3. Find Exclusions section and unfold it.

4. An advanced menu will give you the necessary options to configure files and folders. Specify the file path, URL or CyberCapture.

Avast Antivirus deleted an important file. Recovery procedure

Avast File Delete

As we have mentioned above, Avast may sometimes delete a completely harmless files due to false positive detection. More often than not, however, antiviruses would delete real threats as opposed to blocking random files.

What you should know is that deleted files can be recovered even if you cannot find it on your computer. We’ll show you how to do it by using the Starus Partition Recovery tool. The tool allows you to perform deep low-level analysis of the disk that contains the deleted file, locate and recover (undelete) the file.

The intuitive user interface combined with convenient file grouping allows you finding the necessary file or document easily without wasting time. A preview window will ensure that the required file is not damaged or rewritten and can be completely recovered.

We hope this article was helpful. Feel free to contact us if you have any questions or comments.

Similar Data Recovery Tips Picked Just for You:

Similar Data Recovery Tips Picked Just for You:


Avast Restore File From Vault Download