Hi there, On Fri, 24 Jan 2020, Douglas Stinnette wrote:
When Quarantine has a false positive how do you restore the file(s)?
ClamAV can be used in may different ways. We do not know how you are using ClamAV, so you need to tell us. You have not made clear which tool took the 'Quarantine' action, and how the action was configured. What is/was the affected file? ClamAV can remove (delete) a file or, in some circumstances, move it to a quarantine location of your choice - this is most likely set in a configuration file somewhere. Tools other than ClamAV may also delete or move files based on the findings of a scan by ClamAV. If a simple file was removed, you may need to go to your backups. If the file was moved to a different location, you need to find out to where it was moved. Then you can move it back, although (depending on the file) it might not be quite as simple as that because moving files or deleting them willy-nilly can badly damage a system. For example a database server is likely to get in a real mess if you move any of its data files without first stopping it, and unwise operations on things in some of the system directories can be challenging to recover from. False positives are not at all rare, and sometimes I wonder if the inadvisable application of ClamAV might be doing as much damage to systems as is being done by the things which ClamAV actually finds. Did you read the part in the documentation which (in BOLD) says "Be careful!" ? -- 73, Ged. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
