[clamav-users] How to restore file(s) on Mac

Douglas Stinnette dstinnet at vcu.edu
Fri Jan 24 15:55:14 UTC 2020 

Hi GW,

Your response is very helpful.

You have directed me to learn how the config files are setup.

We have it setup so quarantine will hold files for 30 days before deleting
them. The definition is "Osx.Adware.TotalAdviseSearch-7489207-0 FOUND".
A script was run remotely to white list this definition and to restore the
file(s) from quarantine which worked on about 700 systems.
Now I am trying to learn how to address the remaining systems with the same
issue.

Ok, once I know the location of quarantine then the file(s) are there. The
scan logs show the location where the files were originally located so
looking at these will enable me to know where to get the files and move
them back.
Thank you,
Doug



On Fri, Jan 24, 2020 at 10:28 AM G.W. Haywood via clamav-users <
clamav-users at lists.clamav.net> wrote:

> Hi there,
>
> On Fri, 24 Jan 2020, Douglas Stinnette wrote:
>
> > When Quarantine has a false positive how do you restore the file(s)?
>
> ClamAV can be used in may different ways.  We do not know how you are
> using ClamAV, so you need to tell us.  You have not made clear which
> tool took the 'Quarantine' action, and how the action was configured.
>
> What is/was the affected file?
>
> ClamAV can remove (delete) a file or, in some circumstances, move it
> to a quarantine location of your choice - this is most likely set in a
> configuration file somewhere.  Tools other than ClamAV may also delete
> or move files based on the findings of a scan by ClamAV.
>
> If a simple file was removed, you may need to go to your backups.
>
> If the file was moved to a different location, you need to find out to
> where it was moved.  Then you can move it back, although (depending on
> the file) it might not be quite as simple as that because moving files
> or deleting them willy-nilly can badly damage a system.  For example a
> database server is likely to get in a real mess if you move any of its
> data files without first stopping it, and unwise operations on things
> in some of the system directories can be challenging to recover from.
>
> False positives are not at all rare, and sometimes I wonder if the
> inadvisable application of ClamAV might be doing as much damage to
> systems as is being done by the things which ClamAV actually finds.
> Did you read the part in the documentation which (in BOLD) says
>
> "Be careful!" ?
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


-- 


Douglas Stinnette

VCU Technology Services

Endpoint Security Specialist

Virginia Commonwealth University

827-0933



Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, Social
Security number or confidential personal information. For more details
visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200124/8657d503/attachment.htm>

More information about the clamav-users mailing list