Topic: Recovering quarantined files from a ClamAV false positive panic.

[jwab]

Hi Guys

I'm running SME 7.1 and last Friday ClamAV decided to tag a shed load of files as infected with

Code: [Select]

Exploit.PDF-9669 FOUNDand promptly moved the tagged files to quarantine. Now this would have been fine if it was a real virus, but some googleing came up with a dodgy ClamAV update.

So I've not got some 1000+files moved from their homes in a vast multi share super deep folder structure sitting in quarantine and they are perfectly fine.

Is there anyway I can undo this move and make ClamAV put them back? Or is there a script a I can run on the log and the quarantine folder to put them back? This will take me years to put the files back if I have to cp buy hand!!

I hope someone can help me out.

Here is a snippet of the log

Code: [Select]

Scan started: Sat Jan  9 00:50:02 2010
/home/e-smith/files/ibays/executive/files/Uniform Sizes.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/Uniform Sizes.xlsx: moved to '/var/spool/clamav/quarantine//Uniform Sizes.xlsx'
/home/e-smith/files/ibays/executive/files/Mobile Phone No..xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/Mobile Phone No..xlsx: moved to '/var/spool/clamav/quarantine//Mobile Phone No..xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Redundancy Information/Grading -MASTER June 2009 - 1.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Redundancy Information/Grading -MASTER June 2009 - 1.xlsx: moved to '/var/spool/clamav/quarantine//Grading -MASTER June 2009 - 1.xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Redundancy Information/Grading -MASTER June 2009.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Redundancy Information/Grading -MASTER June 2009.xlsx: moved to '/var/spool/clamav/quarantine//Grading -MASTER June 2009.xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Current Employees/Andrew Lia/FW Student behaviour JTL1C.htm: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Current Employees/Andrew Lia/FW Student behaviour JTL1C.htm: moved to '/var/spool/clamav/quarantine//FW Student behaviour JTL1C.htm'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Sub-contractors/SubContractors.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Sub-contractors/SubContractors.xlsx: moved to '/var/spool/clamav/quarantine//SubContractors.xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Leavers/Craig Rudge 07.08.09/Grading.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Leavers/Craig Rudge 07.08.09/Grading.xlsx: moved to '/var/spool/clamav/quarantine//Grading.xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Leavers/Craig Rudge 07.08.09/Hours Overbooked.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Leavers/Craig Rudge 07.08.09/Hours Overbooked.xlsx: moved to '/var/spool/clamav/quarantine//Hours Overbooked.xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Annual Bonus Figures/Staff List.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Annual Bonus Figures/Staff List.xlsx: moved to '/var/spool/clamav/quarantine//Staff List.xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/ [SPAM_]_  electrician mate.eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/ [SPAM_]_  electrician mate.eml: moved to '/var/spool/clamav/quarantine// [SPAM_]_  electrician mate.eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Vacancy query (1).eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Vacancy query (1).eml: moved to '/var/spool/clamav/quarantine//Vacancy query (1).eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/RE_ CAT5_Telecoms.eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/RE_ CAT5_Telecoms.eml: moved to '/var/spool/clamav/quarantine//RE_ CAT5_Telecoms.eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Application form.eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Application form.eml: moved to '/var/spool/clamav/quarantine//Application form.eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Electricians mate vacancy.eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Electricians mate vacancy.eml: moved to '/var/spool/clamav/quarantine//Electricians mate vacancy.eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/FW_ .eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/FW_ .eml: moved to '/var/spool/clamav/quarantine//FW_ .eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/For attention of Susanne Morris; Electrician CFB_101379 .eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/For attention of Susanne Morris; Electrician CFB_101379 .eml: moved to '/var/spool/clamav/quarantine//For attention of Susanne Morris; Electrician CFB_101379 .eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Hi, I'm Looking for work..eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Hi, I'm Looking for work..eml: moved to '/var/spool/clamav/quarantine//Hi, I'm Looking for work..eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/ [SPAM_]_  apprentiships.eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/ [SPAM_]_  apprentiships.eml: moved to '/var/spool/clamav/quarantine// [SPAM_]_  apprentiships.eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Stuart Harris cv.eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Stuart Harris cv.eml: moved to '/var/spool/clamav/quarantine//Stuart Harris cv.eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/cv.eml: Exploit.PDF-9669 FOUND

[Stefano]

Hi Guys

I'm running SME 7.1

you are running a pretty old, usupported and (possibly) unsecure version of SME, so you should upgrade ASAP to 7.4

and last Friday ClamAV decided to tag a shed load of files as infected with

Code: [Select]

Exploit.PDF-9669 FOUND.....

in the logs you posted you have a possible solution: you'd write a shell script to do a cp from quarantine folder to original directory.. if you search with google you'll find a lot of solutions..

some hint:
- interesting lines have ": moved to " text (so grep for it)
- you can use (AFAIR) ": moved to " with awk to split your lines
- as a test, instead of using cp/mv, use "echo $2 $1" to verify the syntax
- you have many spaces in your paths/filenames: you have to replace them with "\ "

HTH

[jwab]

Thanks for the reply. I guessed as much I'd have to write a script. Sadly my bash is very poor gonna be a mega learning curve.

Was hoping there would be some shortcut in the contrib.

Will up to 7.4 once I've sorted this out.

[Stefano]

hi..

<DISCLAIMER>
I've not tested on live data.. so be carefull
</DISCLAIMER>

first of all we need to create a list of moved files:

Code: [Select]

cd /root
grep ': moved to ' your_log_files > mylog1.txt

then create a file with

Code: [Select]

pico restore_file.pl

and fille with this

Code: [Select]

#!/usr/bin/perl


open (FILE, './mytest1.log');

while (<FILE>)
{
   if (/(.*)(: moved to )(.*)/)
    {
      my $t3 = $3;
      my $t1 = $1;
      $t3 =~ s/^'//;
      $t3 =~ s/'$//;
      my $stringa = $t3."\t".$t1;
      $stringa =~ s/ /\\ /g;
      $stringa =~ s/'/\\'/g;
      $stringa =~ s/\(/\\\(/g;
      $stringa =~ s/\)/\\\)/g;
      print 'cp '.$stringa."\n";
      system($stringa);
        }
}   
close (FILE);

save, give execution permission with

Code: [Select]

chmod  +x restore_file.pl

then run with

Code: [Select]

./restore_file.pl

be carefull, you coul have some error because of strange characters in files' name..

I repeat: I did not tested it much, and I'm sure that it could be written in a better way

[jwab]

Thanks for the help Stefano, I'll give it a crack tomorrow.

[jwab]

Code: [Select]

#!/usr/bin/perl


open (FILE, './mytest1.log');

while (<FILE>)
{
   if (/(.*)(: moved to )(.*)/)
    {
      my $t3 = $3;
      my $t1 = $1;
      $t3 =~ s/^'//;
      $t3 =~ s/'$//;
      my $stringa = $t3."\t".$t1;
      $stringa =~ s/ /\\ /g;
      $stringa =~ s/'/\\'/g;
      $stringa =~ s/\(/\\\(/g;
      $stringa =~ s/\)/\\\)/g;
      print 'cp '.$stringa."\n";
      system($stringa);
        }
}   
close (FILE);


Stefano could you comment this a bit so I know what's going on? I ran it but changing  the following

Code: [Select]

#print 'cp '.$stringa."\n";
#system($stringa);
echo $stringa

I assumed this would just echo out what it was working $stringa to be so I could verify that if I stuck in the cp command it would be doing the correct thing. But when it runs I get no output. I assume I'm doing something wrong or the routine you kindly wrote for me is not working?

[goniol1]

hi ,
i have the same problem with this fu* false positive virus, i ll try your script but i have an error
readline() on closed filehandle FILE at restore_file.pl line
what 's going wrong ?
thx for your help

[goniol1]

i answer my self, pls open you eyes ! mylog1.txt and './mytest1.log' are not the same file
let's have a long drink , and take a long deep breath.
so show must go on , i ll continue and tell you if it works.

[goniol1]

here is the result , everything goes well except files right, i ll try with the -p option

Code: [Select]

grep ': moved to ' files.log > mylog1.log

Code: [Select]

#!/usr/bin/perl
use strict;
use warnings;

open (FILE, './mylog1.log');

while (<FILE>)
{
   if (/(.*)(: moved to )(.*)/)
    {
      my $t3 = $3;
      my $t1 = $1;
      $t3 =~ s/^'//;
      $t3 =~ s/'$//;
      my $stringa = $t3."\t".$t1;
      $stringa =~ s/ /\\ /g;
      $stringa =~ s/'/\\'/g;
      $stringa =~ s/\(/\\\(/g;
      $stringa =~ s/\)/\\\)/g;
      print 'cp -p '.$stringa."\n";
      #system($stringa);
        system 'cp -p  '.$stringa."\n";
 }
}
close (FILE);


[tropicalview]

Hi,
I had the same problem (with a complete updated server btw).

I have dar2 backups fro friday, it it possible to do a disaster recovery over the current files??

Kind regards

[jwab]

Well I took the plunge, mixed results. Some files were copied over, many not. Probably due to the the silly file names and spaces causeing trouble.

Here is a sample of the output.

Code: [Select]

sh: /var/spool/clamav/quarantine//RVWConsultimg0707.xlsx: cannot execute binary file
cp /var/spool/clamav/quarantine//RVWConsultimg280708.xlsx       /home/e-smith/files/ibays/general/files/PAT\ Testing/RVW\ Consulting/RVWConsultimg280708.xlsx
sh: /var/spool/clamav/quarantine//RVWConsultimg280708.xlsx: cannot execute binary file
cp /var/spool/clamav/quarantine//RVWConsultimg070809.xlsx       /home/e-smith/files/ibays/general/files/PAT\ Testing/RVW\ Consulting/RVWConsultimg070809.xlsx
sh: /var/spool/clamav/quarantine//RVWConsultimg070809.xlsx: cannot execute binary file
cp /var/spool/clamav/quarantine//Caravanclub0608.xlsx   /home/e-smith/files/ibays/general/files/PAT\ Testing/Caravan\ Club/Caravanclub0608.xlsx
sh: /var/spool/clamav/quarantine//Caravanclub0608.xlsx: cannot execute binary file
cp /var/spool/clamav/quarantine//Caravanclub0607.xlsx   /home/e-smith/files/ibays/general/files/PAT\ Testing/Caravan\ Club/Caravanclub0607.xlsx
sh: /var/spool/clamav/quarantine//Caravanclub0607.xlsx: cannot execute binary file
cp /var/spool/clamav/quarantine//PAT\ 28.08.09.xlsx     /home/e-smith/files/ibays/general/files/PAT\ Testing/Euranglo\ -Southgate\ Hse/PAT\ 28.08.09.xlsx
sh: /var/spool/clamav/quarantine//PAT 28.08.09.xlsx: cannot execute binary file
cp /var/spool/clamav/quarantine//PAT\ 04.01.2010.xlsx   /home/e-smith/files/ibays/general/files/PAT\ Testing/Euranglo\ -Southgate\ Hse/PAT\ 04.01.2010.xlsx
sh: /var/spool/clamav/quarantine//PAT 04.01.2010.xlsx: cannot execute binary file
cp /var/spool/clamav/quarantine//EPA-Ltd0807.xlsx       /home/e-smith/files/ibays/general/files/PAT\ Testing/INACTIVE/EPA/EPA-Ltd0807.xlsx
sh: /var/spool/clamav/quarantine//EPA-Ltd0807.xlsx: cannot execute binary file
cp /var/spool/clamav/quarantine//CardiffMuslimPrimary0807.xlsx  /home/e-smith/files/ibays/general/files/PAT\ Testing/INACTIVE/Cardiff\ Muslim\ School/CardiffMuslimPrimary0807.xlsx

I'm not sure why it issues the sh: command after each cp? I presume that has somthing todo with the

Code: [Select]

system($stringa);
command. I have no idea of it's purpose. Could someone enlighten me?

[goniol1]

are you using the stefano's native code or the code i've modified ?

[jwab]

Stefano's I'll try yours. As i'm not knowledgable on bash scripting I'd be grateful if you could comment the lines to explain whats going on? Thanks in advance.

[tropicalview]

Hi,

As i said before, i have the same problem.
I'm afraid the solution with the copy script will only help half the problem, because once the files are back in place the access rights and owners are not set as they shoold (i think that will cause login problems with roaming profiles and users that cannnot access their own files).

Therefore i would like to restore the dar2 backup from last friday, but is it possible to run the restore over the current data?
will it then replace all the data? will it just add the missing files? or will the process just die when it hits on existing data??


Kind regads

[Stefano]

Stefano's I'll try yours. As i'm not knowledgable on bash scripting I'd be grateful if you could comment the lines to explain whats going on? Thanks in advance.

Hi.. here I am

Code: [Select]

#!/usr/bin/perl

# open file
open (FILE, './mytest1.log');

# loop through lines
while (<FILE>)
{
   if (/(.*)(: moved to )(.*)/)
    {
      # store "source" and "destination" in 2 new variables
      my $t3 = $3;
      my $t1 = $1;
      # in source line, remove the ' character at beginning of line
      $t3 =~ s/^'//;
      # again, remove the ' character at the end
      $t3 =~ s/'$//;
      # concatenate source and destination, separed by a tab
      my $stringa = $t3."\t".$t1;
      # replace all spaces " " with "\ "
      $stringa =~ s/ /\\ /g;
      # replace all ' with \'
      $stringa =~ s/'/\\'/g;
      # replace all ( with \(
      $stringa =~ s/\(/\\\(/g;
      # replace all ) with \)
      $stringa =~ s/\)/\\\)/g;
      #print the resulting line with "cp " at the beginning
      print 'cp '.$stringa."\n";
      # call and execute the command
      # this line should be commented with # to check for errors
      system($stringa);
        }
}   
close (FILE);

HTH