Hi there,

On Fri, 24 Jan 2020, Douglas Stinnette wrote:

> When Quarantine has a false positive how do you restore the file(s)?

ClamAV can be used in may different ways.  We do not know how you are
using ClamAV, so you need to tell us.  You have not made clear which
tool took the 'Quarantine' action, and how the action was configured.

What is/was the affected file?

ClamAV can remove (delete) a file or, in some circumstances, move it
to a quarantine location of your choice - this is most likely set in a
configuration file somewhere.  Tools other than ClamAV may also delete
or move files based on the findings of a scan by ClamAV.

If a simple file was removed, you may need to go to your backups.

If the file was moved to a different location, you need to find out to
where it was moved.  Then you can move it back, although (depending on
the file) it might not be quite as simple as that because moving files
or deleting them willy-nilly can badly damage a system.  For example a
database server is likely to get in a real mess if you move any of its
data files without first stopping it, and unwise operations on things
in some of the system directories can be challenging to recover from.

False positives are not at all rare, and sometimes I wonder if the
inadvisable application of ClamAV might be doing as much damage to
systems as is being done by the things which ClamAV actually finds.
Did you read the part in the documentation which (in BOLD) says

"Be careful!" ?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml