ClamWin Free Antivirus :: View topic - quarantine folder filled with 25,000 files

Posted: Sun Nov 21, 2010 7:57 pm

Hi there,

I'm just seeing 11818 files in the ClamWin quarantine folder of a laptop that is now simply useless for the upcoming Monday working day!!

I'm completely surprised that the developers thought to suggest (looking at various posts in this forum) to:
-) recover manually the files, checking the logs for the original locations
-) use the QRestore utility, which is not advertised no-where on the website (I'm not even sure about which one
is the latest version -- is it 1.1 ?)
-) set ClamWin into "report-only" mode, instead of quarantining -- I would have suggested to uninstall the tool, instead!

Now some constructive ideas and suggestions:
1) advertise this on the front-page of the ClamWin website as a major issue that has potentially affected ALL THE USERS!!
2) SUGGEST TO ALL USERS TO REINSTALL CLAMWIN from a clean new download from your website
On this PC, ClamWin quarantined its own executable as well, letting it become unusable!!!
3) provide clear pointers to a receipt for fixing the problem
4) consider that NOT ALL USERS are ICT-experts, so you must consider also how to deal with them
5) PROVIDE AN AUTOMATIC PROCEDURE AS PART OF THE NEXT CLAMWIN UPDATE, to be released ASAP (now!!!!);
The recovery procedure is relatively simple to build:
a) scan all the log files present on the system, and build a map of the quarantined file paths, along with the original location
b) scan all the quarantine folder files, rescan them with the new version/virus-db which does not have the problem, and,
if the file is not infected, then restore it into its original location, possibly asking the user to confirm the action

I hope the developers do something to address this in a professional way. And, IMHO, trying to blame users of ClamWin because they didn't properly backup their systems, is NOT a professional way of dealing with the issue.

My 2 cents.

Tommaso

Posted: Mon Nov 22, 2010 12:40 am

tcucinotta wrote:

Hi there,

I'm just seeing 11818 files in the ClamWin quarantine folder of a laptop that is now simply useless for the upcoming Monday working day!!

I'm completely surprised that the developers thought to suggest (looking at various posts in this forum) to:
-) recover manually the files, checking the logs for the original locations
-) use the QRestore utility, which is not advertised no-where on the website (I'm not even sure about which one
is the latest version -- is it 1.1 ?)
-) set ClamWin into "report-only" mode, instead of quarantining -- I would have suggested to uninstall the tool, instead!

Now some constructive ideas and suggestions:
1) advertise this on the front-page of the ClamWin website as a major issue that has potentially affected ALL THE USERS!!
2) SUGGEST TO ALL USERS TO REINSTALL CLAMWIN from a clean new download from your website
On this PC, ClamWin quarantined its own executable as well, letting it become unusable!!!
3) provide clear pointers to a receipt for fixing the problem
4) consider that NOT ALL USERS are ICT-experts, so you must consider also how to deal with them
5) PROVIDE AN AUTOMATIC PROCEDURE AS PART OF THE NEXT CLAMWIN UPDATE, to be released ASAP (now!!!!);
The recovery procedure is relatively simple to build:
a) scan all the log files present on the system, and build a map of the quarantined file paths, along with the original location
b) scan all the quarantine folder files, rescan them with the new version/virus-db which does not have the problem, and,
if the file is not infected, then restore it into its original location, possibly asking the user to confirm the action

I hope the developers do something to address this in a professional way. And, IMHO, trying to blame users of ClamWin because they didn't properly backup their systems, is NOT a professional way of dealing with the issue.

My 2 cents.

Tommaso

Please do not double post - becomes difficult to follow. I responded in your first post:
https://forums.clamwin.com/viewtopic.php?p=13230#13230

Posted: Mon Nov 22, 2010 3:06 pm

bill_chatfield wrote:

I was able to find the log file in a temporary file in my temp directory: c:\Documents and Settings\userid\local settings\temp. Make sure you look under the userid which runs ClamWin.

And I wrote the following script which copied everything back into place. I couldn't use Java or Perl because their executables and dlls were quarantined by ClamWin. So JavaScript seemed like the next easiest thing to use. Copy and paste the script in to a file named RestoreClamWinFalsePositives.js and then run it like this: cscript RestoreClamWinFalsePositives.js logfilename.txt

Thanks for the script! For some unknown reason WinXP or greater is required for the other script.

Posted: Mon Nov 22, 2010 9:26 pm

Just thought people viewing this thread on the false positive problem would be worth viewing my other post in the other thread...

https://forums.clamwin.com/viewtopic.php?p=13250#13250 https://forums.clamwin.com/viewtopic.php?p=13250#13250

Posted: Fri Nov 26, 2010 10:27 am

lasersoft wrote:

Where is the log file on Windows Server 2003. There is a file ClamScanLog.txt in the c:\documents and settings\all users\.clamwin\log but doesn't have information about the quarentined files. It seems to come a day before the problem occurred, as if the program didn't finish writing. Can I just return the files to where I think they came from?

Hello if like me you have discovered thousands of files in quarantine following the problem of false positive
with a log file clam nonexistent or incomplete
I give you a temporary solution that allowed me to restart my databases.

1 rename your files by removing the extension. Infected (before removing duplicates)
2 state in the system PATH the path or file is stored in your quarantine.

Beware it only works for DLLs it will put the executable file in the correct directories by hand

--
Bonjour si comme moi vous avez découvert des millier de fichier en quarantaine suite au probleme de faux positif
avec un fichier de log de clam inexistant ou incomplet
je vous livre une solution temporaire qui ma permis de redémarrer mes bases de données.

1 renommer vos fichiers en supprimant l'extension .infected (supprimer avant les doublons)
2 indiquer dans le PATH du systeme le chemin ou sont stocké vos fichier en quarantaine.
Attention ca ne fonctionne que pour les DLL il faudra remettre les fichier exécutable dans les bons repertoires a la main

Posted: Thu Dec 09, 2010 10:30 pm

Lost over 7000 files into guarantine....
Restore tool does not work on WIn2000 (NT) server --> not a valid win-32 application.
I think(!!), I found the log-file....
Any way I can automatically recover instead of doing it manual?

Posted: Mon Dec 13, 2010 2:10 pm

Anyone???

Posted: Mon Dec 13, 2010 2:14 pm

I think you will have to go the manual route if Alch's script is no help. If DB folders are involved, seems like someone had a post somewhere about that.

Regards,

Posted: Mon Dec 13, 2010 2:24 pm

Thanks for the reply 'Bob',
The script would work fine if on my XP machine... I copied the log file there and ran the script...
On win-nt however it does not work... (If only it did!)
Hope someone has a solution to this, as doing it manual is going to take weeks!

Posted: Tue Dec 14, 2010 4:35 am

worldofrugs wrote:

Thanks for the reply 'Bob',
The script would work fine if on my XP machine... I copied the log file there and ran the script...
On win-nt however it does not work... (If only it did!)
Hope someone has a solution to this, as doing it manual is going to take weeks!

When you save the script do that as ANSI (dropdown in Notepad)

Posted: Tue Dec 14, 2010 3:26 pm

Not sure how to save "the script" ??
I have the log file (ansi file), and the small program qrestore, that I cannot run on the server (not a valid win32 app.).
Just to see if it would work, I copied both to an XP machine and it works fine there. (Of cos I could not restore, as the files / destination folders are not located on the XP machine)

Posted: Tue Dec 14, 2010 3:53 pm

Please read this sticky post:
https://forums.clamwin.com/viewtopic.php?t=3096&start=0

after point 6:

Quote:

If you need to restore files using the log from another machine then QRestore 1.1 can produce a batch file instead of copying. Follow the steps 1-5 and click File-Create Recovery Script. When you see the batch script in the Notepad, be sure to save it as ASCII or Windows will have troubles running Unicode BATCH files.

Download QRestore1.1 here:
https://files.clamwin.com/QRestore1.1.zip

You can create a batch script for your NT machine on the XP by copying the log file and running qrestore 1.1 and save a batch script (remember to save as ANSI file).