Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] How to restore file(s) on Mac
dstinnet at vcu
Jan 24, 2020, 6:46 AM
Post #1 of 5 (247 views)
Permalink
When Quarantine has a false positive how do you restore the file(s)?
Thanks,
Doug

--


Douglas Stinnette

VCU Technology Services

Endpoint Security Specialist

Virginia Commonwealth University

827-0933



Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, Social
Security number or confidential personal information. For more details
visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.
Re: [clamav-users] How to restore file(s) on Mac [ In reply to ]
clamav-users at lists
Jan 24, 2020, 7:28 AM
Post #2 of 5 (247 views)
Permalink
Hi there,

On Fri, 24 Jan 2020, Douglas Stinnette wrote:

> When Quarantine has a false positive how do you restore the file(s)?

ClamAV can be used in may different ways. We do not know how you are
using ClamAV, so you need to tell us. You have not made clear which
tool took the 'Quarantine' action, and how the action was configured.

What is/was the affected file?

ClamAV can remove (delete) a file or, in some circumstances, move it
to a quarantine location of your choice - this is most likely set in a
configuration file somewhere. Tools other than ClamAV may also delete
or move files based on the findings of a scan by ClamAV.

If a simple file was removed, you may need to go to your backups.

If the file was moved to a different location, you need to find out to
where it was moved. Then you can move it back, although (depending on
the file) it might not be quite as simple as that because moving files
or deleting them willy-nilly can badly damage a system. For example a
database server is likely to get in a real mess if you move any of its
data files without first stopping it, and unwise operations on things
in some of the system directories can be challenging to recover from.

False positives are not at all rare, and sometimes I wonder if the
inadvisable application of ClamAV might be doing as much damage to
systems as is being done by the things which ClamAV actually finds.
Did you read the part in the documentation which (in BOLD) says

"Be careful!" ?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to restore file(s) on Mac [ In reply to ]
clamav-users at lists
Jan 24, 2020, 7:54 AM
Post #3 of 5 (247 views)
Permalink
Doug,

I see from the title that you’re on macOS. Are you using ClamXAV or ClamAV? ClamXAV is a third-party product built around ClamAV.

ClamAV doesn’t automatically quarantine files that triggered alerts during a scan. Configuring it to move files to a quarantine would’ve been something you had to have set up manually.
ClamXAV automatically quarantines “infected” files. According to their documentation “simply click the Restore button beside the file in the Infection List“. https://www.clamxav.com/support/quick-start-guide/

-Micah


From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Douglas Stinnette <dstinnet@vcu.edu>
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
Date: Friday, January 24, 2020 at 9:47 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: [clamav-users] How to restore file(s) on Mac

When Quarantine has a false positive how do you restore the file(s)?
Thanks,
Doug

--



Douglas Stinnette

VCU Technology Services

Endpoint Security Specialist

Virginia Commonwealth University

827-0933



Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, Social Security number or confidential personal information. For more details visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.
Re: [clamav-users] How to restore file(s) on Mac [ In reply to ]
dstinnet at vcu
Jan 24, 2020, 7:55 AM
Post #4 of 5 (247 views)
Permalink
Hi GW,

Your response is very helpful.

You have directed me to learn how the config files are setup.

We have it setup so quarantine will hold files for 30 days before deleting
them. The definition is "Osx.Adware.TotalAdviseSearch-7489207-0 FOUND".
A script was run remotely to white list this definition and to restore the
file(s) from quarantine which worked on about 700 systems.
Now I am trying to learn how to address the remaining systems with the same
issue.

Ok, once I know the location of quarantine then the file(s) are there. The
scan logs show the location where the files were originally located so
looking at these will enable me to know where to get the files and move
them back.
Thank you,
Doug



On Fri, Jan 24, 2020 at 10:28 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Fri, 24 Jan 2020, Douglas Stinnette wrote:
>
> > When Quarantine has a false positive how do you restore the file(s)?
>
> ClamAV can be used in may different ways. We do not know how you are
> using ClamAV, so you need to tell us. You have not made clear which
> tool took the 'Quarantine' action, and how the action was configured.
>
> What is/was the affected file?
>
> ClamAV can remove (delete) a file or, in some circumstances, move it
> to a quarantine location of your choice - this is most likely set in a
> configuration file somewhere. Tools other than ClamAV may also delete
> or move files based on the findings of a scan by ClamAV.
>
> If a simple file was removed, you may need to go to your backups.
>
> If the file was moved to a different location, you need to find out to
> where it was moved. Then you can move it back, although (depending on
> the file) it might not be quite as simple as that because moving files
> or deleting them willy-nilly can badly damage a system. For example a
> database server is likely to get in a real mess if you move any of its
> data files without first stopping it, and unwise operations on things
> in some of the system directories can be challenging to recover from.
>
> False positives are not at all rare, and sometimes I wonder if the
> inadvisable application of ClamAV might be doing as much damage to
> systems as is being done by the things which ClamAV actually finds.
> Did you read the part in the documentation which (in BOLD) says
>
> "Be careful!" ?
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--


Douglas Stinnette

VCU Technology Services

Endpoint Security Specialist

Virginia Commonwealth University

827-0933



Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, Social
Security number or confidential personal information. For more details
visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.
Re: [clamav-users] How to restore file(s) on Mac [ In reply to ]
dstinnet at vcu
Jan 24, 2020, 7:57 AM
Post #5 of 5 (247 views)
Permalink
Hi Micah,

That is nice to know. Yes we are using ClamAV and doing the manual steps to
get his addressed.
Thank you for the reply.
Doug

On Fri, Jan 24, 2020 at 10:54 AM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Doug,
>
>
>
> I see from the title that you’re on macOS. Are you using ClamXAV or
> ClamAV? ClamXAV is a third-party product built around ClamAV.
>
>
>
> ClamAV doesn’t automatically quarantine files that triggered alerts during
> a scan. Configuring it to move files to a quarantine would’ve been
> something you had to have set up manually.
>
> ClamXAV automatically quarantines “infected” files. According to their
> documentation “simply click the *Restore* button beside the file in the
> Infection List“. https://www.clamxav.com/support/quick-start-guide/
>
>
>
> -Micah
>
>
>
>
>
> *From: *clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of
> Douglas Stinnette <dstinnet@vcu.edu>
> *Reply-To: *ClamAV users ML <clamav-users@lists.clamav.net>
> *Date: *Friday, January 24, 2020 at 9:47 AM
> *To: *ClamAV users ML <clamav-users@lists.clamav.net>
> *Subject: *[clamav-users] How to restore file(s) on Mac
>
>
>
> When Quarantine has a false positive how do you restore the file(s)?
>
> Thanks,
>
> Doug
>
>
>
> --
>
>
>
> Douglas Stinnette
>
> VCU Technology Services
>
> Endpoint Security Specialist
>
> Virginia Commonwealth University
>
> 827-0933
>
>
>
> Don't be a phishing victim - VCU and other reputable organizations will
> never use email to request that you reply with your password, Social
> Security number or confidential personal information. For more details
> visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--


Douglas Stinnette

VCU Technology Services

Endpoint Security Specialist

Virginia Commonwealth University

827-0933



Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, Social
Security number or confidential personal information. For more details
visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal