Hi GW, Your response is very helpful.
You have directed me to learn how the config files are setup. We have it setup so quarantine will hold files for 30 days before deleting them. The definition is "Osx.Adware.TotalAdviseSearch-7489207-0 FOUND". A script was run remotely to white list this definition and to restore the file(s) from quarantine which worked on about 700 systems. Now I am trying to learn how to address the remaining systems with the same issue. Ok, once I know the location of quarantine then the file(s) are there. The scan logs show the location where the files were originally located so looking at these will enable me to know where to get the files and move them back. Thank you, Doug On Fri, Jan 24, 2020 at 10:28 AM G.W. Haywood via clamav-users < [email protected]> wrote: > Hi there, > > On Fri, 24 Jan 2020, Douglas Stinnette wrote: > > > When Quarantine has a false positive how do you restore the file(s)? > > ClamAV can be used in may different ways. We do not know how you are > using ClamAV, so you need to tell us. You have not made clear which > tool took the 'Quarantine' action, and how the action was configured. > > What is/was the affected file? > > ClamAV can remove (delete) a file or, in some circumstances, move it > to a quarantine location of your choice - this is most likely set in a > configuration file somewhere. Tools other than ClamAV may also delete > or move files based on the findings of a scan by ClamAV. > > If a simple file was removed, you may need to go to your backups. > > If the file was moved to a different location, you need to find out to > where it was moved. Then you can move it back, although (depending on > the file) it might not be quite as simple as that because moving files > or deleting them willy-nilly can badly damage a system. For example a > database server is likely to get in a real mess if you move any of its > data files without first stopping it, and unwise operations on things > in some of the system directories can be challenging to recover from. > > False positives are not at all rare, and sometimes I wonder if the > inadvisable application of ClamAV might be doing as much damage to > systems as is being done by the things which ClamAV actually finds. > Did you read the part in the documentation which (in BOLD) says > > "Be careful!" ? > > -- > > 73, > Ged. > > _______________________________________________ > > clamav-users mailing list > [email protected] > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Douglas Stinnette VCU Technology Services Endpoint Security Specialist Virginia Commonwealth University 827-0933 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, Social Security number or confidential personal information. For more details visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.
_______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
