Hi,

I am unsure if this has been covered.
I've read a few topics that mentioned the evolution of QRecover over time and some of the hurdles encountered but didn't find anything related to this particular issue.

At the moment I can't rely on QRecover since it will sometimes not work (best case) or delete files when recovering them.
Here is an example of a quarantined file that I cannot restore:
1. I place an EICAR virus file (eicar.com) inside "C:\Windows\System32\config"
2. I run a scan on that specific folder and ClamWin flags the file and moves it to quarantine at "C:\Users\Administrator\AppData\Roaming\.clamwin\quarantine" and also creating the 'eicar.com.infected.txt' alongside the quarantined file
3. I open QRecover and there it is, "Original location" - C:\Windows\System32\config\eicar.com | "Quarantined file" - "C:\Users\Administrator\AppData\Roaming\.clamwin\quarantine\eicar.com.infected"
4. I right-click on the item and click on "Restore Selected" but then I get an error: "Windows cannot find 'C:\Users\ADMINI~1\AppData\Local\Temp\4\CLA49BB_tmp.txt'. Make sure you typed the name correctly, and then try again."

The weird thing about the error above is that it will always happen, even when a restore is successful.

Also, if I try to create a recovery script from QRecover I get this error [sic]:
Error: Cannot create Temporory file!
The system cannot find the path specified.

Can someone comment if this is normal and if not why it could be happening with files to be restored to C:\Windows\System32\config but not if the restore folder is C:\Windows\System32 ?
At the moment I'm using a script from the user 'blah1985' which apparently doesn't have the problem that QRecover has: https://forums.clamwin.com/viewtopic.php?p=19040#19040

EDIT:
OS: Windows Server 2008 R2

EDIT2: Tested with the standalone version of "SentinelRecover" has the same problem, but it's worse because in that case it is guaranteed that it will delete both files even though it doesn't recover the original.

No one has ever mentioned this problem before. It seems that it could be unique to the system32\config folder. I'll pass it on to the ClamWin developers. Perhaps it has something to do with the protection code for some Windows files that was written when the QRecover program was developed. Maybe the developers could incorporate that user script that works.

Regards,

Did you have the chance to test it yourself?
The script is not ideal if you wish to restore individual files among correctly quarantined files, but it does the specific job that QRecover, or unaffiliated SentinelRecover, can't do at the moment.
I haven't tested any more weird folders, I happened to find this one when testing for files exclusion from scans on that particular folder, but it's possible that there are other folders where this happens.
I'm new to ClamWin/ClamAV and I've already read quite a few spooky cases of mass false-positive quarantines to the point that I'm insecure about the whole process and so I need to be confident that whatever happens can be "easily" reverted.

In any case, thanks for passing it on.

There is something seriously wrong with QRecover.

The first issue that I faced I already covered on the opening post, now I have 2 more issues:
1. When logged as the domain administrator, who has the home folder "Administrator.DOMAIN", QRecover tries to locate a file in the %TEMP% path using this abbreviation:
C:\Users\ADMINI~1_DOM\AppData\Local\Temp\5\CLA4639_tmp.txt

That abbreviation clearly cannot exist since abbreviated paths are made of the first 6 characters of the profile path name followed by a tilde and a number (depending on alphabetical order), example:
- AdministratorA = ADMINI~1
- AdministratorB = ADMINI~2
- AdministratorC = ADMINI~3

Why does it append "_DOM" is beyond anything I can think of.

This is serious enough, but then there's another problem when trying to do recovery of a listed quarantined file:
C:\Windows\System32\config\eicar.com Error: Cannot create a file when that file already exists.

The issue with this error is that the target file does not exist at all. Using the command line confirms it:


I also tried "Create Recovery script" which froze the process, constantly used 13% of an 8 core CPU, for more than 5 minutes, until I terminated the process.
QRecover is a seriously liability which I think should be prioritized, it implies a false sense of security.

ClamWin's support of scripting has been rather poor since version .95 when there was some sort of change in the Clam AV code that was not utilized by the ClamWin developers. I was preparing signatures for Clam AV then on behalf of ClamWin and was unable to use the command line in my analyses starting with that version.
Regards,

Looks like the old Windows API used in Python 2.7 may be a problem here.
You can work around it by setting the %temp$ environment var to something shorter, say c:\temp