Jump to content
cyber_funk

Deleted Quarantine files without permission

Recommended Posts

I'm using immunet on windows with ClamAV
After my last scan I picked up around 80-something threats. Some of these were put into quarantine and likely were threats, however some were listed as "deleted quarantine file" with a broken file name and no path telling me what it originally was; I don't even know what folder it was in. So now I basically have to rebuild my entire library from scratch on my archive drive if I can't undo this. Which would be a multi-week long nightmare of a project for me and I simply don't have the time with classes just starting for me.

Is there any way to get these files back? or at least prevent Immunet from deleting things from my computer without permission.

unknowasdfasfn.png

asdasdasd.png

Share this post


Link to post
Share on other sites

Interesting bug, I reached out to Cyberfunk for a support dump but off the top of my head there are 2 reasons Immunet might ho this message

I'll star with what is probably the most important thing to you - unfortunately no, once Immunet has deleted a file from quarantine there is no easy way to recover it.

that said I can think of 3possible ways to end up showing this message:

-Immune  auto deletes quarantined files after 30 days to save disk space,  the reasoning being it was a  legitimate malware detection  and you don't want that ile hanging around your computer ,   and if you didn't resre the file within 30 days you probably didn't care about it anyway. However Immune handles these cases and t displays a different  UI dialog than the screenshot one you posted. 
- some other aAV program  (or space conscious well meaning  user) manually deleted the file form c:\programfiles\immunet\quarantine.

- the file in question was detected in memory and quarantined before it hit the disk, (i.e. whatever program that was about to create the file was terminated before the file could be saved

 

Does "USA,Europe" look like a legitimate filename or path you might have creatd or saved to at some point?  

Share this post


Link to post
Share on other sites

It was a rom file for an emulator, it only listed what was in the parenthesis in the file name for some reason so I can't figure out what I need to replace, or even for what system, meaning I will need to rebuild my entire archive again. No other antivirus was running and no one else used this computer(I live alone and I ran the scan when I was asleep, woke up to this mess)

Even assuming the rom file was compromised and was hiding malicious code, it cannot execute it on it's own. Even still, I'd like to have been able to find out what I need to replace and that's seemingly impossible now. It won't even list half of the things it quarantined because the list glitches out half way through scrolling.

I will probably need to start from scratch my entire 40TB archive because of this, this is very serious for me. I probably won't even remember or find some of the things that may or may not have been deleted without my consent. It won't even list the scan history and says I've never scanned my PC...

Share this post


Link to post
Share on other sites

Hello cyber_funk,

I find it distressing you ran into this situation myself. I could see where replacing 40 terabytes of data would be a time consuming process indeed! That's a plethora of code!

Something I do on a regular basis and endorse. Always, always, ALWAYS back up critical data externally if possible just in case!

Share this post


Link to post
Share on other sites

Just a quick note: Once or twice (but very rarely) I've had Immunet quarantine a file, and upon attempting to restore it, Immunet has simply responded with "Restore failed" - and the file is seemingly gone forever. I think sometimes Immunet's history database gets corrupted. I've not worked out whether this is some sort of failed quarantine, or whether the history files get a bit corrupted at some point afterwards, preventing restoration. Like I say it's very rare. I think it's only ever happened to me twice, and that's all the time since the pre-ClamAV cloud-only version (pre version 2.0), so it'd be difficult to replicate.

I think correct behaviour when "ask me" is selected in the GUI should be to block access to the file (to keep the system safe) and immediately open a dialogue box ("quarantine the file?", yes/no). The file should only be moved to quarantine after the user has clicked "yes". The current method is automatic quarantine, which necessitates restoration of false-positives, which leads to data-loss when an error occurs.

Share this post


Link to post
Share on other sites

The restore failed response you mentioned zombunny2 can happen if the file in question was a quarantined third-party software "temp" file that gets automatically deleted by the program once it's closed. So in that situation there is no longer a file to restore.

Personally I have "Ask Me" enabled for both Quarantine Behavior settings so I can be the one to decide what to do. I think most technically savvy computer users could get away with using these Ask Me settings but I would recommend a novice computer user leave the default automatic settings enabled.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...