Topic: Clam

[geoff]

Clam has done its weekly sweep and has identified a whole lot of files on the SME Server as being infected with Win.Trojan.Bancos-2115 and shifted them to quarantine. I've checked several of the files with Malwarebytes and there is no issue with them, particularly as some of the files have been there for years.
Is there any quick way of returning these files to their original location other than 'unpicking' what Clam has done?
Needless to say, the weekly Clam is now disabled.

[janet]

geoff

These are probably false positives. You can report it to the clam website.

I would suggest enabling the weekly scans, but disable the move to quarantine option.
That way your system is still scanned for viruses, but you do not get any disruption as falsely identified files will not be moved.
You can manually check anything that is reported in the weekly scan email.

[Stefano]

you'd have something like

Code: [Select]

/home/e-smith/files/users/tania/Maildir/cur/1454327151.3861.server:2,ST: moved to '/var/spool/clamav/quarantine/1454327151.3861.server:2,ST'

in your email

you need to use the mail content (lines with "moved to").. parse them, exchange source and destination and create a script that reverts the moving..
I guess you need to escape some chars too

[geoff]

Thanks for your help. I'm running Hitman Pro and Malwarebytes on our PCs so I'll dispense with Clam on the Server - it's done similar to this a couple of years ago and it is just not worth the trouble.

Thanks again.

[Daniel B.]

Here is a script I used a few years ago to revert quarantined files: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/divers/annuler_les_quarantaines_de_clam (hope it's still working, I haven't used it since ~4 years, and log format might have changed)

Any AV software will have false positive from time to time unfortunately...