|
| Un-move false positive from quarantine | |
arefsum
Joined: 05 Sep 2008 |
Posts: 0 |
|
|
|
Posted: Fri Sep 05, 2008 8:26 am |
|
|
|
|
|
Last night Clam scanned my machine, and killed a lot of my system for me. Apps like MySQL, Notepad++, Nokia PC_Suit, Picasa, Ad-Aware, Google Chrome, DivX products, HP Print tools, java and java tools, Lotus Symphony, Dell tools, several windows apps, etc (lots) where found to be "infected" and moved to quarantine folder.
After starting an alternative text editor (I normally use Notepad++, but that didn't work any longer.) I found an awful lot of "Trojan.Swizzor-82 FOUND" messages in the log.
I saw a notice on the net that Clam reported a lot of false positives with the "Trojan.Swizzor-82 FOUND" message, so per advice, I downloaded a new version of the av db and ran a scan against the quarantine folder (contains 642 files). This scan only found a possible 6 infected files.
Now, I need to get all those false positives (636 files) back to their original folders - a massive job, since the system is basically crippled. Is there un-move utility I could use quickly/easily un-move all the fallse positives without having to move every file by hand?
Regards
Alf
|
|
|
| | |
Ryan.Ricks
Joined: 05 Sep 2008 |
Posts: 0 |
|
|
|
Posted: Fri Sep 05, 2008 2:33 pm |
|
|
|
|
|
The same thing happened to me. It looks like there are over a hundred files i'll have to move back by hand. Why is there no restore feature?
|
|
nickdangr
Joined: 05 Sep 2008 |
Posts: 0 |
Location: Florida |
|
|
Posted: Fri Sep 05, 2008 6:11 pm |
|
|
|
|
|
I'll third this. I came in and 275 files were put in infected, all false positives.
They need to put a restore feature into the program.
|
|
nickdangr
Joined: 05 Sep 2008 |
Posts: 0 |
Location: Florida |
|
|
Posted: Fri Sep 05, 2008 6:13 pm |
|
|
|
|
|
In fact, I have to reinstall my antispam and firewall programs - Clamwin has effectively removed all protection from my computer but itself.
Thanks.
|
|
| Re: Un-move false positive from quarantine | |
arefsum
Joined: 05 Sep 2008 |
Posts: 0 |
|
|
|
Posted: Fri Sep 05, 2008 8:04 pm |
|
|
|
|
|
arefsum wrote: |
Now, I need to get all those false positives (636 files) back to their original folders - a massive job, since the system is basically crippled. Is there un-move utility I could use quickly/easily un-move all the fallse positives without having to move every file by hand?
|
I did it by hand more or less . Actually I used the log file to generate a batch file that moved the quarantined files back and the system seem more or less ok. There are still some issues, but I guess reinstalling the offending components will do the trick.
Alf
|
|
|
| | |
GuitarBob
Joined: 09 Jul 2006 |
Posts: 9 |
Location: USA |
|
|
Posted: Fri Sep 05, 2008 9:27 pm |
|
|
|
|
|
Perhaps your log file could be used as the basis for a ClamWin Restore From Quarantine function. You might provide a copy of it to Alch or Sherpya.
At any rate, Clam needs to know about this false positive, or it may happen again. If you have one of the files, upload it to http://cgi.clamav.net/sendvirus.cgi on the web. Fill out the form and be sure to check the False Positive box. Give them a brief explanation of what happened in the Description box.
Regards,
|
|
|
| | |
arefsum
Joined: 05 Sep 2008 |
Posts: 0 |
|
|
|
Posted: Sat Sep 06, 2008 9:44 am |
|
|
|
|
|
GuitarBob wrote: |
Perhaps your log file could be used as the basis for a ClamWin Restore From Quarantine function. You might provide a copy of it to Alch or Sherpya.
At any rate, Clam needs to know about this false positive, or it may happen again. If you have one of the files, upload it to http://cgi.clamav.net/sendvirus.cgi on the web. Fill out the form and be sure to check the False Positive box. Give them a brief explanation of what happened in the Description box.
Regards, |
The file(s) hve already been reported. Tht is why I downloaded a new version of the DB. I'll send a copy of the last few scans to lch or Sherpya.
Alf
|
|
|
| | |
strangelove7
Joined: 27 Oct 2008 |
Posts: 0 |
|
|
|
Posted: Mon Oct 27, 2008 9:41 am |
|
|
|
|
|
hello, i also moved a lot of files to ClamWin Quarantine. i have to move those files back. Every file has name, for example, infected.wordpad.exe . So i just have to delete from each file name infected. and then move back?? It is that right? Thank you.( i used ClamWin portable)
|
|
GuitarBob
Joined: 09 Jul 2006 |
Posts: 9 |
Location: USA |
|
|
Posted: Mon Oct 27, 2008 2:17 pm |
|
|
|
|
|
"So i just have to delete from each file name infected. and then move back?? " That's correct, and that's why I have ClamWin's Report Preferences set to Report Only, not Quarantine. That way, you can take a look at a file first (on Jotti or Virus Total). If it reports a massive amount of infections (especially of one type), it is probably a false positive.
Regards,
|
|
|
| | |
blah1985
Joined: 24 Feb 2016 |
Posts: 0 |
|
|
|
Posted: Wed Feb 24, 2016 8:00 pm |
|
|
|
|
|
So this thread is super old, but for future wanderers I wrote a Jscript file for windows to do this.
It Moves all files from C:\Quar back to their original location(so remove real infected files first!!) run with command:
clamscan.exe c:\ -i -k --recursive=yes --log=z:\sweepLogs\%computername%.log --database=z:\ClamWinPortable\Data\db --move=c:\quar
|
Save the following as a .js file and run with cscript from command line so like
/* Restore files in c:/quar to orginal location from Clam Win false positive.*/
String.prototype.trim = function()
{
return this.replace(/^\s+|\s+$/g, '');
};
var fso, ws, ts;
fso = new ActiveXObject('Scripting.FileSystemObject');
ws = WScript.CreateObject('WScript.Shell');
var folder = fso.getFolder("c:/quar");
var fileCollection = folder.files;
for(var objEnum = new Enumerator(fileCollection); !objEnum.atEnd(); objEnum.moveNext()) {
var fileN = objEnum.item().name;
var fileSplit = objEnum.item().name.split(".");
var ext = fileSplit[fileSplit.length-1];
if(ext == "infected")
{
var fileNE = "";
for(var j = 0;j<fileSplit.length-1;j++)
{
fileNE+= fileSplit[j];
}
var ForReading= 1;
ts = fso.OpenTextFile("c:\\quar\\"+fileN+".txt", ForReading, false);
var fileContents = ts.ReadLine();
ts.Close();
var contSplit = fileContents.split("\\\\?\\");
var fromWhere = contSplit[1].trim();
var toWhere = contSplit[2].trim();
fso.MoveFile(toWhere,fromWhere);
WScript.Echo("Restored file back to " +fromWhere);
}
}
WScript.Quit(); |
|
|
|
| | |
GuitarBob
Joined: 09 Jul 2006 |
Posts: 9 |
Location: USA |
|
|
Posted: Wed Feb 24, 2016 8:56 pm |
|
|
|
|
|
That is so much trouble--just use the Qrestore program in the ClamWin\bin folder! Clam Sentinel has an even better restore utility.
Regards,
|
|
ROCKNROLLKID
Joined: 23 Sep 2013 |
Posts: 0 |
Location: **UNKNOWN** |
|
|
Posted: Wed Feb 24, 2016 10:42 pm |
|
|
|
|
|
Agreed. The QRecover in the ClamWin folder would be a lot easier. Alch should make it so you can access it from within ClamWin.
|
|
ner0
Joined: 07 Dec 2016 |
Posts: 0 |
|
|
|
Posted: Wed Dec 07, 2016 2:36 pm |
|
|
|
|
|
Thanks to blah1985 for the script, it has really been helpful!
I tried QRecover but for some reason it refused to restore some of the files... more on this here: http://forums.clamwin.com/viewtopic.php?p=19645
|
|
|
| | |
ner0
Joined: 07 Dec 2016 |
Posts: 0 |
|
|
|
Posted: Thu Dec 08, 2016 6:39 pm |
|
|
|
|
|
I took the liberty of trying to slightly improve blah1985's script, which worked fine but didn't predict certain situations, like having multiple files with the same name (where ClamAV appends ### to the duplicates), or missing files that would break the restore process.
As the original script, this one is still in JScript, it should be saved with a .js extension, then called via commandline with:
cscript.exe ScriptName.js
Here's my "improved" version:
/* Restore files from ClamAV quarantine folder to orginal location */
// Set the quarantine folder path, with double back-slashes
var quarantineDir_dbs = 'C:\\ClamAV\\quarantine';
var input = '';
WScript.Echo('*** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***\n\nARE YOU SURE THAT YOU WANT TO RESTORE *ALL* FILES FROM QUARANTINE ?\n\nType "yes" to proceed, followed by the [ENTER] key:');
while (!WScript.StdIn.AtEndOfLine) {
input += WScript.StdIn.Read(1);
}
if (input.toUpperCase() !== 'YES') {
WScript.Quit();
}
String.prototype.replaceAll = function(strTarget, strSubString) {
var strText = this;
var intIndexOfMatch = strText.indexOf(strTarget);
while (intIndexOfMatch != -1) {
strText = strText.replace(strTarget, strSubString);
intIndexOfMatch = strText.indexOf(strTarget);
}
return(strText);
}
String.prototype.trim = function() {
return this.replace(/^\s+|\s+$/g, '');
};
var fso = new ActiveXObject('Scripting.FileSystemObject');
var ws = WScript.CreateObject('WScript.Shell');
var quarantineDir_sfs = quarantineDir_dbs.replaceAll( '\\', '/' );
var folder = fso.getFolder(quarantineDir_sfs);
var fileCollection = folder.files;
var objEnum = new Enumerator(fileCollection)
if (objEnum.atEnd()) {
WScript.Echo("\nERROR: Quarantine folder is empty!");
WScript.Quit();
}
WScript.Echo('\nStarting restore process...\n');
var counterTotal = counterError = counterSuccess = 0;
for (; !objEnum.atEnd(); objEnum.moveNext()) {
var fileN = objEnum.item().name;
var fileSplit = objEnum.item().name.split('.');
var ext1 = fileSplit[fileSplit.length-1];
var ext2 = fileSplit[fileSplit.length-2];
var ext3 = fileSplit[fileSplit.length-3];
var isnum = /^\d+$/.test(ext1);
if (ext1 == 'infected' || (isnum && ext2 == 'infected')) {
counterTotal += 1;
var fileNE = '';
for (var i = 0; i < fileSplit.length-1; i++) {
fileNE += fileSplit[i];
}
var quarantinedFileInfo = quarantineDir_dbs + '\\' + fileN + '.txt';
if (fso.FileExists(quarantinedFileInfo)) {
var ForReading = 1;
var ts = fso.OpenTextFile(quarantinedFileInfo, ForReading, false);
var fileContents = ts.ReadLine();
ts.Close();
var contSplit = fileContents.split('\\\\?\\');
var originalLocation = contSplit[1].trim();
var quarantineLocation = contSplit[2].trim();
var tmpLocation = originalLocation.replaceAll( '\\\\', '\\' );
if (!fso.FileExists(tmpLocation)) {
fso.MoveFile(quarantineLocation, originalLocation);
if (fso.FileExists(tmpLocation)) {
counterSuccess += 1;
WScript.Echo('Successfully restored file: ' + originalLocation);
fso.DeleteFile(quarantinedFileInfo);
} else {
counterError += 1;
WScript.Echo('ERROR: Failed to restore file: ' + originalLocation);
}
} else {
counterError += 1;
WScript.Echo('ERROR: File already exists: ' + originalLocation);
}
} else {
counterError += 1;
WScript.Echo('ERROR: Missing information container: ' + quarantinedFileInfo);
}
} else if (ext1 == 'txt' && (ext2 == 'infected' || (isnum = /^\d+$/.test(ext2) && ext3 == 'infected')) && !fso.FileExists(quarantineDir_dbs + '\\' + fileN.slice(0, -4))) {
counterError += 1;
WScript.Echo('ERROR: Missing infected file: ' + quarantineDir_dbs + '\\' + fileN.slice(0, -4))
}
}
WScript.Echo('\nProcess completed!\n' + '\nInfected files: ' + counterTotal + '\nRestored files: ' + counterSuccess + '\nErrors: ' + counterError);
WScript.Echo('\nPress the [ENTER] key to exit...');
while (!WScript.StdIn.AtEndOfStream) {
WScript.StdIn.ReadLine();
if (WScript.StdIn.Line != 2) {
WScript.Quit();
}
} |
The confirmation code is pretty much useless, but I just thought I would add it to prevent accidental recoveries of infected files.
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
| |